How to give a group the ability to read-only all incidents, sctasks, and demands
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2025 10:10 AM
Hello everyone,
I have a interesting request from a group (lets call them 1234group).
This group wants to be able to read-only all incidents, sctask, and demands that are not assigned to them.
They do not want to edit any of these records, just read-only. While still have the ability to work on their own records.
Does anyone have any recommendation on how to achieve this?
If you do, please give a example that shows step by step instructions. At least this would give me some idea.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2025 01:15 AM - edited 08-10-2025 01:17 AM
Hi @r2024
The most robust and recommended way to control access to records in ServiceNow is through Access Control Lists (ACLs). ACLs define what a user can do with a specific record or field. They are evaluated in a specific order:
To achieve your goal for "1234group," you'll need to create a combination of ACLs:
* Read-Only ACLs for Records Not Assigned to Them: You'll create a new role and an ACL that grants read access to incidents, sctasks, and demands where the assigned_to field is not the current user. This will be a high-level ACL that provides the read-only access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2025 02:05 AM
Hi @r2024 ,
So for this you can create ACL on incident or stask table:
Operation: Read,
Select the incident table
In Requires role you can enter your a specific role that role has been assigned to every member from the group.
Write ACL : Ability to work own records - mean they can edit/update the record
Operation: Write
Select the table
Advance : Script
(function () {
// Edit allowed if:
// - user is member of the record's assignment group, OR
// - user is the assignee (optional ownership rule),
var user = gs.getUser();
if (!user.isMemberOf('1234group')) { answer = false; return; }
var inAssigneeGroup = current.assignment_group && user.isMemberOf(current.assignment_group);
var isAssignee = current.assigned_to == user.getID();
answer = !!(inAssigneeGroup || isAssignee);
})();This makes all other records effectively read-only to 1234group members; their own assigned records remain editable. Community patterns rely on isMemberOf against current.assignment_group for ownership checks
Same you can do with sctask or any other tables.
Refer the below post
Before doing any changes, please check if that can be done from existing ACL or roles, or group users.
There is 'sn_incident_read' role, assign to that group and check the users if are view the records or not. Then you can assign this role to your group and no need to create any ACL's. Try it out.
Thanks,
Bhimashankar H
-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2025 10:32 AM
Hi @r2024 ,
I hope you saw my reply.
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. It will help future readers as well having similar kind of questions and close the thread.
Thanks,
Bhimashankar H
