Hi,

On sever side script include, you could just write below line to check if caller is member of particular group or not.

gs.getUser().getUserByID(callerID).isMemberOf("Your group name/group sys_id");

Let me know if you have any further queries.

Please mark this as Correct or Helpful if it helps.

Thanks and Regards,
Abhijit

Hey,

you got the point! The validation of the group membership is missing and the only thing that will be checked is, that the user is member of at least one group. Due the fact that "sys_user_grmember" is some kind of a mapping table, you need to add the particular group.

Updated client script for "onSubmit"

- add a parameter for the group

function onSubmit() {
    // getting caller flied value.

    var callerID = g_form.getValue('u_caller');
    var groupID = "sys_id"; // insert matching sys_id of group or add a referenced field like 'u_group'

    //pass this valu to sever side  and check weather this caller is member of 'code team developmet'
    var ga = new GlideAjax('CallerGroupValidation');
    ga.addParam('sysparm_name', 'validateCaller'); // map to suitable function of class
    ga.addParam('sysparm_callerid', callerID); // add parameter for caller as sys_id
    ga.addParam('sysparm_groupid', groupID); // add parameter for group as sys_id
    ga.getXML(updateCampus);
}

function updateCampus(response) {
    var answer = response.responseXML.documentElement.getAttribute("answer");

    if (answer) {
        g_form.addInfoMessage('caller is member of code team developmet group');
    } else {
        g_form.addErrorMessage('caller is not  member of code team developmet group');
        return false;
    }

}

Updated script include

- load and store the group

- add the group to the query

var CallerGroupValidation = Class.create();
CallerGroupValidation.prototype = Object.extendsObject(AbstractAjaxProcessor, {
validateCaller: function(){
		var callerId = this.getParameter('sysparm_callerid');
		var groupId = this.getParameter('sysparm_groupid');
		
		var gr = new GlideRecord('sys_user_grmember');
		gr.addQuery('user', callerId); // if user equals callerId
		gr.addQuery('group', groupId); // and if group equals groupId
		gr.query();
		if(gr.getRowCount() == 1){
			return true;
		} else {
			return false;
		}
	},
    type: 'CallerGroupValidation'
});

Now the scripts check if a record with matching user and group exists.

But... I think this is some kind of over-engineered due the fact, that the goal is to achieve a prohibited create or write action. In my understanding of OOB mechanism inside ServiceNow a role in combination with a security rule would suite and scale much better.

Let's assume the following:

table is "u_development_task"

role is "development_write"

user is "Abel Tuter"

group is "Developer"

I would suggest to add a custom user role like "development_write" and assign this role to the group "Developer". After that create a security rule to the table and setup it up like:

Choose operation as "write", table as "u_development_task" and add role "development_write". That's it.

Verification for "Abel Tuter" without being member of "Developer":

The record is and all fields are read only and the "Update" UI action is missing.

Verification for "Abel Tuter" being member of "Developer":

The record is and all fields are writable and the "Update" UI action is useable.

Conclusion: If you use a combination of role, group and security role, the maintenance is limited to assign the role to the required group(s) or user(s). In my opinion it's much better than calling a (more or less static) client script to call a script include using AJAX.

Bump!