Business rule or ACL to restrict access to certain records in the CMDB based on the company attribute

rc_p
Kilo Explorer

‎05-16-2018 01:40 PM

Hi,

I have a requirement to create a business rule or ACL to restrict access to certain records in the CMDB based on the company attribute (custom filed added) of the group that user belongs to. In certain scenarios, a user can be members of multiple groups so the user should be able to see items for all the groups where the company attribute matches. CMDB items are associated with a company from the core_company table. I started with a script to get group membership of the current user and tried to get the company attribute but I can't get it working. I would like to know if this can be achieved with custom scripts and if so does anyone have an example of how this can be done?

Labels:
0 Helpfuls
  • 1,852 Views
2 REPLIES 2

Ankur Bawiskar
Tera Patron
Tera Patron

‎05-16-2018 09:46 PM

Hi Rcp,

Best way to achieve this is query business rule and not ACL.

If you use ACL then this kind of message will be shown to the user : Security constraint restricts records

Use business rule

Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.
Thanks
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

rc_p
Kilo Explorer

‎05-17-2018 05:24 PM

Thanks, Ankur! Based on what I read, business rule was the way to go but wanted to know if anyone had done this already and a query that I can reuse with little modifications :). I ended up writing myself and here's the script that I used for my business rule.

if (!(gs.getUser().isMemberOf('SN Admins'))) {
	var cmp = [];
	var myGroups = new GlideRecord('sys_user_grmember');
	
	var myName = gs.getUserDisplayName();
	gs.print(myName);
	myGroups.addQuery('user.name',myName);
	myGroups.query();
	while (myGroups.next()) {
		gs.print(myGroups.group);
		var grp = new GlideRecord('sys_user_group');
		grp.query('sys_id',myGroups.group);
		if (grp.next()){
			gs.print(grp.u_company);
			if (grp.u_company) {
				cmp.push(grp.u_company);
			}
		}
	}
	current.addQuery("company",'IN',cmp);
}

 

0 Helpfuls