How to give a group the ability to read-only all incidents, sctasks, and demands

r2024
Tera Contributor

Hello everyone,

I have a interesting request from a group (lets call them 1234group).

This group wants to be able to read-only all incidents, sctask, and demands that are not assigned to them.

They do not want to edit any of these records, just read-only. While still have the ability to work on their own records.

 

Does anyone have any recommendation on how to achieve this? 

If you do, please give a example that shows step by step instructions. At least this would give me some idea.

Thanks!

3 REPLIES 3

Rafael Batistot
Tera Sage

Hi @r2024 

 

The most robust and recommended way to control access to records in ServiceNow is through Access Control Lists (ACLs). ACLs define what a user can do with a specific record or field. They are evaluated in a specific order:

To achieve your goal for "1234group," you'll need to create a combination of ACLs:
* Read-Only ACLs for Records Not Assigned to Them: You'll create a new role and an ACL that grants read access to incidents, sctasks, and demands where the assigned_to field is not the current user. This will be a high-level ACL that provides the read-only access.

Bhimashankar H
Mega Sage

Hi @r2024 ,

 

So for this you can create ACL on incident or stask table:

Operation: Read, 

Select the incident table

In Requires role you can enter your a specific role that role has been assigned to every member from the group. 

 

Write ACL : Ability to work own records - mean they can edit/update the record 

Operation: Write 

Select the table

Advance : Script

(function () {
  // Edit allowed if:
  // - user is member of the record's assignment group, OR
  // - user is the assignee (optional ownership rule),
  var user = gs.getUser();
  if (!user.isMemberOf('1234group')) { answer = false; return; }

  var inAssigneeGroup = current.assignment_group && user.isMemberOf(current.assignment_group);
  var isAssignee = current.assigned_to == user.getID();

  answer = !!(inAssigneeGroup || isAssignee);
})();

This makes all other records effectively read-only to 1234group members; their own assigned records remain editable. Community patterns rely on isMemberOf against current.assignment_group for ownership checks

 

Same you can do with sctask or any other tables.

 

Refer the below post

Restrict to view only 

 

Before doing any changes, please check if that can be done from existing ACL or roles, or group users.

There is  'sn_incident_read' role, assign to that group and check the users if are view the records or not. Then you can assign this role to your group and no need to create any ACL's.  Try it out.

 

Thanks,
Bhimashankar H

 

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

Bhimashankar H
Mega Sage

Hi @r2024 ,

 

I hope you saw my reply. 


If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. It will help future readers as well having similar kind of questions and close the thread.

Thanks,
Bhimashankar H