How to fix ACL issue on Assigned to

Supriya25 · ‎08-10-2025

Hi All,

as per my system setup Group and assigned to fields non-mandatory. No dependency between 'Assigned to' and Assignment group' designed it like that. if I select value in assigned to field automatically assignment group will become empty. ( WE are good here, no issue).

Use case : INC assigned to ITIL Group , as a ITIL user after I reassign INC to non-itil user 'assigned to' field should be read-only ti all ITILgroup members..

To control AssignedTo field I have designed below ACL.
PROBLEM : Below ACL code causing the problem. currently INC has been assigned to ITIL group , as a ITIL user when I tried to reassign to non-ITIL/Non admin user system not accepting new value in AssignedTo, not saving new value in Assigned to Field. always staying with group value. How to fix it. ?
ACL :
Write , Admins Override
Advanced=true
script :

var assignee = false;

var gr = new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name='ITIL User');
gr.addquery('user', current.assigned_to);
if(gr.getRowCount()>0){
assignee=true;
}

if(gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')){
answer=true;
}else if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString()){
     if( gs.hasRole('itil) ){
            answer=true;
         }
}
else{
answer=false;
}

if I adjust else If condition like below new value getting accepted in AssigndTo field
if(assignee || gs.getUser().isMemberOf(current.assignment_group.name.toString() || gs.hasRole('itil)){
answer=true;
}
but after record updating, 'Assigned To' field is becoming editable to ITIL users. we don't want that. after updating INC with non-iti user field should be readonly for itil users.

Please let me know how can I fix this ACL code.

Ankur Bawiskar · ‎08-10-2025

@Supriya25

try this script

(function() {
    // Always allow admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
        answer = true;
        return;
    }

    // Get user being set as Assigned To (could be 'current' before update or 'previous' after)
    var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }

    // Is the assigned_to user an ITIL user?
    var isAssignedToITIL = false;
    var gr = new GlideRecord('sys_user_grmember');
    gr.addEncodedQuery('group.name=ITIL User');
    gr.addQuery('user', userSysId);
    gr.query();
    if (gr.hasNext()) {
        isAssignedToITIL = true;
    }

    // On update, allow *if previously assigned_to was ITIL and user is ITIL
    var prevAssignedToITIL = false;
    if (previous && previous.assigned_to) {
        var prevGr = new GlideRecord('sys_user_grmember');
        prevGr.addEncodedQuery('group.name=ITIL User');
        prevGr.addQuery('user', previous.assigned_to);
        prevGr.query();
        if (prevGr.hasNext()) {
            prevAssignedToITIL = true;
        }
    }

    // Validation logic
    if (isAssignedToITIL) {
        // If "Assigned To" is currently ITIL, allow ITIL users to edit
        answer = gs.hasRole('itil');
    } else {
        // "Assigned To" is not ITIL:
        // 1. Allow the ITIL user to do the update if the previous value was an ITIL user (i.e., they're making the transition)
        // 2. Make it read-only after assignment
        answer = prevAssignedToITIL && gs.hasRole('itil') && previous.assigned_to != current.assigned_to;
    }
})();

Points:

-> admins can always write

-> If the field is being set to a non-ITIL user, only allow ITIL users to do this change if the previous value was ITIL (so it's a transition)

-> Once the field is set to a non-ITIL user, ITIL users lose write permission, so it becomes read-only for them.

Steps to test:

-> Assign incident to a non-ITIL user as an ITIL member; after update, try editing again—it should be read-only.

-> Adjust "group.name" in the queries as needed to match your ITIL group name.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Supriya25 · ‎08-10-2025

Hi @Ankur Bawiskar ,

Thanks for helping here.

my ACL code didn't allowed me to update record with non-itil user . kindly let me know will above this code allow me to update the INC with new value(non-itil ) ?

let me know where we verifying non-itil users & allowing update operation in the above part.

Ankur Bawiskar · ‎08-10-2025

@Supriya25

did you update the code and then test the different scenarios?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Supriya25 · ‎08-11-2025

1 . task assigned to "ITIL USER" group.

(function() {
    // Always allow admins
    if (gs.hasRole('admin') || gs.hasRole('sn_hr_core.admin')) {
        answer = true;
        return;
    }

    // Get user being set as Assigned To (could be 'current' before update or 'previous' after)
    var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }

    // Is the assigned_to user an ITIL user?
    var isAssignedToITIL = false;
    var gr = new GlideRecord('sys_user_grmember');
    gr.addEncodedQuery('group.name=ITIL User');
    gr.addQuery('user', userSysId);
    gr.query();
    if (gr.hasNext()) {
        isAssignedToITIL = true;
    }

var Loginuser = false;
    var gr2 = new GlideRecord('sys_user_grmember');
    gr2.addEncodedQuery('group.name=ITIL User^ORgroup.name=admin^ORgroup.name=HR');
    gr2.addQuery('user', gs.getUserID);
    gr2.query();
    if (gr2.hasNext()) {
        Loginuser = true;
    }


    // Validation logic
    if (current.category=="HR" && (isAssignedToITIL || Loginuser) ) {
        answer=true;
    } else {
       answer=false;
        }
})();

I can't take ITIL role particularly that's what I took answer=true in validation.

gs.hasRole('itil');

Logged-in user is HR group user, he is unable to assign task to Non-admin,non-hr, non-util users.

ACL not accepting record updation.

2. I'm unable to accessing "AssignTo" always showing in readonly. unable to assign task to anyone. even to my teammates also.

var userSysId = current.assigned_to;
    if (!userSysId) {
        answer = false;
        return;
    }