Before query BR: how to restrict record access on parent table?

Tarik_H · ‎05-03-2017

Hi,

Hopefully a fresh look at this by someone else than me can help me move in the right direction.

Let's start with the business requirement; restrict access to all Incidents and Questions that are assigned to certain assignment groups - to users with a specific role (=the assignment group members).

Incident and Question both extend the Task table.

I've opted for the before-query business rule path rather than restricting the records using ACL's. My ACL proof-of-concept turned bad really quickly.

Since I'm pretty new to the before-query business rule I've done some research which ended up in a business rule on my Questions table, like this;

// If user is not a hr agent and if the session is an actual user session
if(!gs.hasRole('hr_agent') && gs.getSession().isInteractive()){
   
       // Display records that are NOT assigned to a HR Confidentiality- group or that I've created for me or someone else
         var user = gs.getUserID();
         current.addEncodedQuery('assignment_group.u_hr_confidentiality=false^ORu_reported_for=' + user + '^ORu_reported_by=' + user + '^ORopened_by=' + user);
}

This works just fine.

However, the records are "partially" restricted considering their corresponding rows can be viewed from the Task table. Choosing to open the record would render the "Record not found"-message. Now you could argue that everything works as it should - and it does - but I do need to make sure that access to the records is entirely restricted, i.e. not display the corresponding rows on the Task table.

Putting the business rule on the Task table instead has consequences for other task-types than Incident and Question. I tried different ways to get this to work, for instance by using current.getTableName() to restrict the rule to the task-types of interest (Incident and Question) but no luck there. Preferably I would like one business rule on the Task table instead of two separate on Incident and Question but it makes for more trouble than good in this case.

Based on the above, does anyone have a suggestion on how to proceed?

I need to make sure that the records cannot be viewed in their entirety and ACL's are not an option based on the early efforts I made.

Thanks in advance!

Goran WitchDoc · ‎05-03-2017

you can do the check for table in the condition builder

You can do a lot of stuff in ServiceNow without coding

//Göran

Tarik_H · ‎05-04-2017

Hi Göran,

Unfortuantely it seems as the condition builder does not work when creating a before-query BR.

Goran WitchDoc · ‎05-04-2017

How do you mean? as you can see my screen shoot, it's a before query br.

//Göran

liv_cp · ‎05-04-2017

It will allow you to add conditions to the before-query BR but that does not mean that they will execute properly. As explained in my previous post, before-query BRs cannot assess records on an individual basis hence you don't have access to 'current' for individual records - this means you can't say 'run the business rule if the current record has a task type of incident' because the BR runs BEFORE the records are pulled back from the database.

liv_cp · ‎05-04-2017

This is a helpful explanation:

"You can't use record-specific details as in a query business rule you did not retrieve any records. However, current.getTableName() seems to access an attribute that is defined in the query itself and is not record specific."