How to fix ACL issue on Assigned to

Supriya25
Tera Guru

4 weeks ago

Hi All,

as per my system setup Group and assigned to fields non-mandatory. No dependency between 'Assigned to' and Assignment group' designed it like that. if I select value in assigned to field  automatically assignment group will become empty.  ( WE are good here, no issue).

Use case : INC assigned to ITIL Group , as a ITIL user  after I reassign INC  to non-itil user 'assigned to' field should be read-only ti all ITILgroup members..

To control AssignedTo field I have designed below ACL. 
PROBLEM : Below ACL code causing the problem. currently INC has been assigned to ITIL group , as a ITIL user when I tried to reassign to non-ITIL/Non admin user system not accepting new value in AssignedTo, not saving new value in Assigned to Field. always staying with group value.  How to fix it. ?
 ACL :
Write , Admins Override
Advanced=true
script :

var assignee = false;

var gr = new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name='ITIL User');
gr.addquery('user', current.assigned_to);
if(gr.getRowCount()>0){
assignee=true;
}

if(gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')){
answer=true;
}else if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString()){
     if( gs.hasRole('itil) ){
            answer=true;
         }
}
else{
answer=false;
}

 
if I adjust  else If condition like below new value getting accepted in AssigndTo field
if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString() || gs.hasRole('itil)){
answer=true;
}
but after record updating, 'Assigned To' field is becoming editable to ITIL users. we don't want that. after updating INC with non-iti user field should be readonly for itil users.

Please let me know how can I fix this ACL code.



0 Helpfuls
  • 852 Views
6 REPLIES 6

Ankur Bawiskar
Tera Patron
Tera Patron

4 weeks ago

@Supriya25 

try this script

(function() {
    // Always allow admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
        answer = true;
        return;
    }

    // Get user being set as Assigned To (could be 'current' before update or 'previous' after)
    var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }

    // Is the assigned_to user an ITIL user?
    var isAssignedToITIL = false;
    var gr = new GlideRecord('sys_user_grmember');
    gr.addEncodedQuery('group.name=ITIL User');
    gr.addQuery('user', userSysId);
    gr.query();
    if (gr.hasNext()) {
        isAssignedToITIL = true;
    }

    // On update, allow *if previously assigned_to was ITIL and user is ITIL
    var prevAssignedToITIL = false;
    if (previous && previous.assigned_to) {
        var prevGr = new GlideRecord('sys_user_grmember');
        prevGr.addEncodedQuery('group.name=ITIL User');
        prevGr.addQuery('user', previous.assigned_to);
        prevGr.query();
        if (prevGr.hasNext()) {
            prevAssignedToITIL = true;
        }
    }

    // Validation logic
    if (isAssignedToITIL) {
        // If "Assigned To" is currently ITIL, allow ITIL users to edit
        answer = gs.hasRole('itil');
    } else {
        // "Assigned To" is not ITIL:
        // 1. Allow the ITIL user to do the update if the previous value was an ITIL user (i.e., they're making the transition)
        // 2. Make it read-only after assignment
        answer = prevAssignedToITIL && gs.hasRole('itil') && previous.assigned_to != current.assigned_to;
    }
})();

Points:

-> admins can always write

-> If the field is being set to a non-ITIL user, only allow ITIL users to do this change if the previous value was ITIL (so it's a transition)

-> Once the field is set to a non-ITIL user, ITIL users lose write permission, so it becomes read-only for them.

Steps to test:

-> Assign incident to a non-ITIL user as an ITIL member; after update, try editing again—it should be read-only.

-> Adjust "group.name" in the queries as needed to match your ITIL group name.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Supriya25
Tera Guru
In response to Ankur Bawiskar

4 weeks ago - last edited 4 weeks ago

Hi @Ankur Bawiskar ,

Thanks for helping here.

my ACL code didn't allowed me to update record with non-itil user .  kindly let me know will above  this code allow me to update the INC with new value(non-itil ) ?

let me know where we verifying non-itil users & allowing update operation in the above part.

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Supriya25

4 weeks ago

@Supriya25 

did you update the code and then test the different scenarios?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Supriya25
Tera Guru
In response to Ankur Bawiskar

4 weeks ago - last edited 4 weeks ago

1 . task assigned to "ITIL USER" group.

Supriya25_0-1754943324366.png

(function() {
    // Always allow admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
        answer = true;
        return;
    }

    // Get user being set as Assigned To (could be 'current' before update or 'previous' after)
    var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }

    // Is the assigned_to user an ITIL user?
    var isAssignedToITIL = false;
    var gr = new GlideRecord('sys_user_grmember');
    gr.addEncodedQuery('group.name=ITIL User');
    gr.addQuery('user', userSysId);
    gr.query();
    if (gr.hasNext()) {
        isAssignedToITIL = true;
    }

var Loginuser = false;
    var gr2 = new GlideRecord('sys_user_grmember');
    gr2.addEncodedQuery('group.name=ITIL User^ORgroup.name=admin^ORgroup.name=HR');
    gr2.addQuery('user', gs.getUserID);
    gr2.query();
    if (gr2.hasNext()) {
        Loginuser = true;
    }


    // Validation logic
    if (current.category=="HR" && (isAssignedToITIL || Loginuser) ) {
        answer=true;
    } else {
       answer=false;
        }
})();

 I can't take ITIL role particularly that's what I took answer=true in validation.

gs.hasRole('itil');

 
Logged-in user is HR group user, he is unable to assign task to Non-admin,non-hr, non-util users.

ACL not accepting record updation.

2. I'm unable to accessing "AssignTo" always showing in readonly. unable to assign task to  anyone. even to my teammates also.

var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }

 

0 Helpfuls