Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Help with ACL Script to know if this is right approach ?

Snehal13
Kilo Sage

‎07-11-2025 11:27 PM

Here is my approach for ACL script as below -

 

Allow read for records in sc_task, if the ACL script returns true.
- Table sc_req_item + ACL script answer = gs.getUser().isMemberOf(current.request_item.universal_request.assignment_group);

 

Allow read access for comments in sc_req_item for approvers.
- Table sc_req_item + field comments + Role "approver_user" role + ACL script answer = current.approvers.indexOf(gs.getUserID()) >= 0

 

Allow read for records in sc_req_item, if the ACL script returns true.
- Table sc_req_item + ACL script answer = current.request.requested_for == gs.getUserID()

 

Allows read access to the RITM for sc task approvers
- Table sc_req_item + Role "approver_user" role + ACL script answer = (current.approvers.indexOf(gs.getUserID()) > -1);

0 Helpfuls
  • 1,518 Views
7 REPLIES 7

tim753milne
Giga Contributor

‎07-12-2025 03:29 AM

Hello,

 

Your ACL logic is mostly correct. Here are quick improvements:

sc_task ACL


var group = current.request_item.universal_request.assignment_group;
answer = group && gs.getUser().isMemberOf(group.toString());
sc_req_item.comments ACL for approvers


var gr = new GlideRecord('sc_req_item_approver');
gr.addQuery('request_item', current.sys_id);
gr.addQuery('approver', gs.getUserID());
gr.query();
answer = gr.hasNext();
sc_req_item ACL if user is requested_for


answer = current.request && current.request.requested_for == gs.getUserID();
RITM read access for approvers
(Same as #2 above)

 

Best Regard,

Tim

PaybyPlateMa
0 Helpfuls

Snehal13
Kilo Sage
In response to tim753milne

‎07-12-2025 07:53 PM

Don't want usage of GlideRecord anywhere in ACL script 

0 Helpfuls

Snehal13
Kilo Sage
In response to tim753milne

‎07-14-2025 09:04 PM - edited ‎07-14-2025 09:05 PM

@tim753milne 

One quick query - If I move the existing ACL script logic (having the GlideRecord logic to query) to a script include and let the ACL script call this script include, will SN execute the script include logic under ACL context or under script include context ?

 

The whole point of my requirement is to ensure that the SN health scan report does not flag ACLs that have ACL script using GlideRecord/GlideAggregate as it is not recommended best practice.

0 Helpfuls

Community Alums
Not applicable

‎07-12-2025 08:02 PM

pls try this

// 1. sc_task read - user is member of request item’s assignment group
current.request_item && current.request_item.universal_request &&
gs.getUser().isMemberOf(current.request_item.universal_request.assignment_group);

// 2. sc_req_item comments read - user is in approvers (comma-separated string)
current.approvers && current.approvers.split(',').indexOf(gs.getUserID()) >= 0;

// 3. sc_req_item read - requested_for is current user
current.request && current.request.requested_for &&
current.request.requested_for.toString() == gs.getUserID();

// 4. sc_req_item read for approvers role
current.approvers && current.approvers.split(',').indexOf(gs.getUserID()) > -1;
0 Helpfuls