The CreatorCon Call for Content is officially open! Get started here.

How to configure ACLs so users can see tickets created by other users in Service Portal?

Go to solution
patricklatella
Mega Sage

‎02-07-2019 10:57 AM

Hi all,

I'm working on a customer service portal, and in the portal I need to allow non-roled users to see a widget called "My company's incidents", and then for them to be able to see all the records on the incident table that have the "company" field set to their company, regardless of who created it.  Is this possible?  The query I have on the widget is correct, but when impersonating users I cannot see the records created by other users.  Anyone know how to do this?

  • 2,755 Views
1 ACCEPTED SOLUTION

Go to solution
DScroggins
Kilo Sage

‎02-07-2019 11:14 AM

Hi Patrick, You can modify the before query business rule "incident query" on the incident table. You can adjust the script to allow users to see the records according to whatever requirements you have. Currently only users who are the caller or opened by can see the incidents if they don't have roles. Once you modify the BR then the incident record will show in portal.

View solution in original post

21 REPLIES 21

Go to solution
patricklatella
Mega Sage
In response to DScroggins

‎02-14-2019 12:03 PM

Hi David,

thanks again for your input on this.  OK, so to clarify, if we allow NON-roled users from our customer organizations to add a comment to a ticket in our customer facing service portal, that they did NOT raise (i.e. they are not the caller nor the "opened by")...this would mean that that NON-roled user from the customer organization would need a licence?

0 Helpfuls

Go to solution
DScroggins
Kilo Sage
In response to patricklatella

‎02-14-2019 02:18 PM

My understanding is that yes if the user has no roles and they were not the ones who opened the incident then they cannot comment on said incident. Only roles users or those who opened the incident can comment.

Go to solution
patricklatella
Mega Sage
In response to DScroggins

‎02-14-2019 03:45 PM

OK, thanks David very much for that update.

0 Helpfuls

Go to solution
patricklatella
Mega Sage
In response to DScroggins

‎02-14-2019 03:49 PM

Hi David, sorry one more question...doesn't being on the watch list for an incident give a non-roled user the ability to comment on a ticket?

0 Helpfuls

Go to solution
Community Alums
Not applicable

‎02-07-2019 04:46 PM

Hi Patrick, 

I don't think a before query rule is a great way to show or hide incidents from other ITIL users due to some of the side effects. You will eventually find that the 'before query' business rule runs before an existing 'before update' business rule is applied and this will cause you unexpected knock-ons. If there's a security issue where some ITIL users should be able to see the content of other incidents, I think you're best off with ACLs.. You could combine the ACLs with appropriate filters on all of the modules those users can access so the incidents they don't have access to see don't show in the list anyway. You could also consider setting the security against specific fields in the incidents. Maybe instead of securing the entire record you could secure the comments, work notes, and description fields. 

What are your non-roled users, specific ITIL/licensed users? 

There are a couple of options to make filtering more powerful/dynamic:
https://docs.servicenow.com/bundle/london-platform-user-interface/page/use/using-lists/task/t_Script...
https://docs.servicenow.com/bundle/london-platform-user-interface/page/use/using-lists/task/t_Dynami...

PS. If you aren't assigning any ITIL role (non licensed), I agree with Paul's, you should get in contact with your account manager to verify if you aren't breaching any closure, you could get in trouble if/when you are audited.