How to Control Record Access

chanikya
Kilo Sage

4 hours ago

Hi All,
Kindly let me know how can I fix this issue.

we have Total 17 Lakhs records in Incident table.


Direct Incident assignees: 1  see&access Incidents where they are directly assigned to Incident .
2. Get access to incidents where complex checkbox =false(regardless of assignment) , but should not get access to incidents where Complex=true.
Task assignees see the Incidents(regardless of complex values) only which Incident has Task & that tasks assigned on his name. (here No complex filed limit here)
Admins and ITIL users see everything.


Query Business Rule :  I'm not sure where I'm doing Wrong, some times table not loading when I impersonate with test user. some times he is losing accesss on all incidents, some times he is getting access to all incident .

(function executeRule(current, previous /*null when async*/ ) {


    // 🔹 Helper: Get group list from system property
    function getAccessGroupList() {
        var prop = gs.getProperty('incident.access.groups ', '');
        return prop.split(',').map(function(name) {
            return name.trim();
        });
    }

    function isUserInGroups(groupNames) {
        var agg = new GlideAggregate('sys_user_grmember');
        agg.addQuery('user', gs.getUserID());
        agg.addQuery('group.name', 'IN', groupNames.join(','));
        agg.addAggregate('COUNT');
        agg.query();
        return agg.next() && parseInt(agg.getAggregate('COUNT')) > 0;
    }

    if (gs.getUser().hasRole('admin') || gs.getUser().hasRole('itil')) {
        return;
    } else if (isUserInGroups(getAccessGroupList())) {

        var userId = gs.getUserID();
        var visibleIncidentIds = [];

        // 🔹 2. Incidents with tasks assigned to the user
        var taskGR = new GlideRecord('ticket');
        taskGR.addQuery('assigned_to', userId);
        taskGR.query();
        while (taskGR.next()) {
            var incidentId = taskGR.getValue('parent');
            if (incidentId && visibleIncidentIds.indexOf(incidentId) === -1) {
                visibleIncidentIds.push(incidentId);
            }
        }

        if (visibleIncidentIds.length > 0) {
            var encodedQuery = 'sys_idIN' + visibleIncidentIds.join(',') +
                       '^NQassigned_to=' + userId +
                       '^opened_by=' + userId +
                       '^u_complex=false';
    current.addEncodedQuery(encodedQuery);
        } else {
            var qc = current.addQuery('assigned_to', userId);
            qc.addOrCondition('opened_by', userId);
            current.addQuery('u_complex', false);
        }
    }

})(current, previous);




kindly help me 


0 Helpfuls
  • 232 Views
2 REPLIES 2

kaushal_snow
Mega Sage

2 hours ago

Hi @chanikya ,

 

It seems your Business Rule is not consistently applying the intended access controls when impersonating test users. This could be due to several factors, such as ACLs on the Incident or Group tables, or the impersonation session not retaining the necessary user context.

 

>> Verify ACLs: Ensure that both the Incident and Group tables have the appropriate ACLs configured. Use the Security Debugger to impersonate the test user and identify any access issues.

>> Impersonation Context: When impersonating, the system may not apply the same context as the original user. Consider using gs.getSession().impersonate('sys_id') in your Business Rule to simulate the user's session accurately.

 

>> Business Rule Execution Context: If the Business Rule is set to run asynchronously, it might not execute with the correct user context. Try setting the Business Rule to run synchronously or use GlideImpersonate to enforce the correct user context...

 

If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.

 

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
0 Helpfuls

chanikya
Kilo Sage
In response to kaushal_snow

48m ago

Hi,

my request here is 

must check curretn incident has Task record ot not. if current incident has task and it assigned on my name them must allow me to access to Incident record.

must check if current incident doesn't not have any task record , incident rax1=true adn rax2=false & incident assigned to my frined- I should not Access incident.

must cehck curretn incident has Task record ot not. if current incident has task and it assigned to different user then must not allow me to access to Incident record.

0 Helpfuls