Hi,

1-> You can use a query BRule that executes before the database query is made to prevent from accessing certain records

Write BRule on ('incident') table --- When before-query

Example Script:-

This example prevents users from accessing incident records unless they have the ITIL role are listed in the caller or Opened by field . So, for ex, when self-service users open a list of incidents, they can only see the incidents they submitted.

if(!gs.hasRole("itil")&& gs.isInteractive()){
  var u = gs.getUserID();
  var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list","CONTAINS", u);
  gs.print("query restricted to user: "+ u);}

Or You can refer the Service Now Docs as well.

https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/script/useful_scripts/concept/c_E...

2-> So a before update business rule that goes something like with a condition of current.workflow_state.changes():

if (current.workflow_state == 'draft' || current.workflow_state == 'retired' ) {

current.u_access_group = current.assignment_group + '';

}

if (current.workflow_state == 'review') {

current.u_access_group = current.u_reviewer_group + ',' + current.assignment_group; //I made up the name of your other field and assuming the the assignment group is also able to see the knowledge article

}

else {

current.u_access_group = '';

}

Following that, I'd then create a before query business rule with the condition of !current.u_access_group.nil():

var gr = new GlideRecord('sys_user_grmember');

var grps = [];

gr.addQuery('user',gs.getUserID());

gr.query();

while(gr.next())

{

grps.push(gr.group + '');

var qc = '';

if (grps.length > 0) {

qc = current.addQuery('u_access_group', 'CONTAINS', grps[0];

}

for (var i = 1; i < grps.length; i++) {

qc.addOrCondition('u_access_group', 'CONTAINS', grps[i]);

}

**Please mark reply as Helpful/Correct, if applicable. Thanks!**