How to fix ACL issue on Assigned to
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi All,
as per my system setup Group and assigned to fields non-mandatory. No dependency between 'Assigned to' and Assignment group' designed it like that. if I select value in assigned to field automatically assignment group will become empty. ( WE are good here, no issue).
Use case : INC assigned to ITIL Group , as a ITIL user after I reassign INC to non-itil user 'assigned to' field should be read-only ti all ITILgroup members..
To control AssignedTo field I have designed below ACL.
PROBLEM : Below ACL code causing the problem. currently INC has been assigned to ITIL group , as a ITIL user when I tried to reassign to non-ITIL/Non admin user system not accepting new value in AssignedTo, not saving new value in Assigned to Field. always staying with group value. How to fix it. ?
ACL :
Write , Admins Override
Advanced=true
script :
var assignee = false;
var gr = new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name='ITIL User');
gr.addquery('user', current.assigned_to);
if(gr.getRowCount()>0){
assignee=true;
}
if(gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')){
answer=true;
}else if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString()){
if( gs.hasRole('itil) ){
answer=true;
}
}
else{
answer=false;
}
if I adjust else If condition like below new value getting accepted in AssigndTo field
if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString() || gs.hasRole('itil)){
answer=true;
}
but after record updating, 'Assigned To' field is becoming editable to ITIL users. we don't want that. after updating INC with non-iti user field should be readonly for itil users.
Please let me know how can I fix this ACL code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
try this script
(function() {
// Always allow admins
if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
answer = true;
return;
}
// Get user being set as Assigned To (could be 'current' before update or 'previous' after)
var userSysId = current.assigned_to;
if (!userSysId) {
answer = false;
return;
}
// Is the assigned_to user an ITIL user?
var isAssignedToITIL = false;
var gr = new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name=ITIL User');
gr.addQuery('user', userSysId);
gr.query();
if (gr.hasNext()) {
isAssignedToITIL = true;
}
// On update, allow *if previously assigned_to was ITIL and user is ITIL
var prevAssignedToITIL = false;
if (previous && previous.assigned_to) {
var prevGr = new GlideRecord('sys_user_grmember');
prevGr.addEncodedQuery('group.name=ITIL User');
prevGr.addQuery('user', previous.assigned_to);
prevGr.query();
if (prevGr.hasNext()) {
prevAssignedToITIL = true;
}
}
// Validation logic
if (isAssignedToITIL) {
// If "Assigned To" is currently ITIL, allow ITIL users to edit
answer = gs.hasRole('itil');
} else {
// "Assigned To" is not ITIL:
// 1. Allow the ITIL user to do the update if the previous value was an ITIL user (i.e., they're making the transition)
// 2. Make it read-only after assignment
answer = prevAssignedToITIL && gs.hasRole('itil') && previous.assigned_to != current.assigned_to;
}
})();
Points:
-> admins can always write
-> If the field is being set to a non-ITIL user, only allow ITIL users to do this change if the previous value was ITIL (so it's a transition)
-> Once the field is set to a non-ITIL user, ITIL users lose write permission, so it becomes read-only for them.
Steps to test:
-> Assign incident to a non-ITIL user as an ITIL member; after update, try editing again—it should be read-only.
-> Adjust "group.name" in the queries as needed to match your ITIL group name.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
Hi @Ankur Bawiskar ,
Thanks for helping here.
my ACL code didn't allowed me to update record with non-itil user . kindly let me know will above this code allow me to update the INC with new value(non-itil ) ?
let me know where we verifying non-itil users & allowing update operation in the above part.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
did you update the code and then test the different scenarios?
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
1 . task assigned to "ITIL USER" group.
(function() {
// Always allow admins
if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
answer = true;
return;
}
// Get user being set as Assigned To (could be 'current' before update or 'previous' after)
var userSysId = current.assigned_to;
if (!userSysId) {
answer = false;
return;
}
// Is the assigned_to user an ITIL user?
var isAssignedToITIL = false;
var gr = new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name=ITIL User');
gr.addQuery('user', userSysId);
gr.query();
if (gr.hasNext()) {
isAssignedToITIL = true;
}
var Loginuser = false;
var gr2 = new GlideRecord('sys_user_grmember');
gr2.addEncodedQuery('group.name=ITIL User^ORgroup.name=admin^ORgroup.name=HR');
gr2.addQuery('user', gs.getUserID);
gr2.query();
if (gr2.hasNext()) {
Loginuser = true;
}
// Validation logic
if (current.category=="HR" && (isAssignedToITIL || Loginuser) ) {
answer=true;
} else {
answer=false;
}
})();
I can't take ITIL role particularly that's what I took answer=true in validation.
gs.hasRole('itil');
Logged-in user is HR group user, he is unable to assign task to Non-admin,non-hr, non-util users.
ACL not accepting record updation.
2. I'm unable to accessing "AssignTo" always showing in readonly. unable to assign task to anyone. even to my teammates also.
var userSysId = current.assigned_to; if (!userSysId) { answer = false; return; }