Help with ACL Script to know if this is right approach ?

Snehal13
Kilo Sage

‎07-11-2025 11:27 PM

Here is my approach for ACL script as below -

 

Allow read for records in sc_task, if the ACL script returns true.
- Table sc_req_item + ACL script answer = gs.getUser().isMemberOf(current.request_item.universal_request.assignment_group);

 

Allow read access for comments in sc_req_item for approvers.
- Table sc_req_item + field comments + Role "approver_user" role + ACL script answer = current.approvers.indexOf(gs.getUserID()) >= 0

 

Allow read for records in sc_req_item, if the ACL script returns true.
- Table sc_req_item + ACL script answer = current.request.requested_for == gs.getUserID()

 

Allows read access to the RITM for sc task approvers
- Table sc_req_item + Role "approver_user" role + ACL script answer = (current.approvers.indexOf(gs.getUserID()) > -1);

0 Helpfuls
  • 1,232 Views
7 REPLIES 7

tim753milne
Giga Contributor

‎07-12-2025 03:29 AM

Hello,

 

Your ACL logic is mostly correct. Here are quick improvements:

sc_task ACL


var group = current.request_item.universal_request.assignment_group;
answer = group && gs.getUser().isMemberOf(group.toString());
sc_req_item.comments ACL for approvers


var gr = new GlideRecord('sc_req_item_approver');
gr.addQuery('request_item', current.sys_id);
gr.addQuery('approver', gs.getUserID());
gr.query();
answer = gr.hasNext();
sc_req_item ACL if user is requested_for


answer = current.request && current.request.requested_for == gs.getUserID();
RITM read access for approvers
(Same as #2 above)

 

Best Regard,

Tim

PaybyPlateMa
0 Helpfuls

Snehal13
Kilo Sage
In response to tim753milne

‎07-12-2025 07:53 PM

Don't want usage of GlideRecord anywhere in ACL script 

0 Helpfuls

Snehal13
Kilo Sage
In response to tim753milne

‎07-14-2025 09:04 PM - edited ‎07-14-2025 09:05 PM

@tim753milne 

One quick query - If I move the existing ACL script logic (having the GlideRecord logic to query) to a script include and let the ACL script call this script include, will SN execute the script include logic under ACL context or under script include context ?

 

The whole point of my requirement is to ensure that the SN health scan report does not flag ACLs that have ACL script using GlideRecord/GlideAggregate as it is not recommended best practice.

0 Helpfuls

Community Alums
Not applicable

‎07-12-2025 08:02 PM

pls try this

// 1. sc_task read - user is member of request item’s assignment group
current.request_item && current.request_item.universal_request &&
gs.getUser().isMemberOf(current.request_item.universal_request.assignment_group);

// 2. sc_req_item comments read - user is in approvers (comma-separated string)
current.approvers && current.approvers.split(',').indexOf(gs.getUserID()) >= 0;

// 3. sc_req_item read - requested_for is current user
current.request && current.request.requested_for &&
current.request.requested_for.toString() == gs.getUserID();

// 4. sc_req_item read for approvers role
current.approvers && current.approvers.split(',').indexOf(gs.getUserID()) > -1;
0 Helpfuls