How to prevent users from seeing other RITM request by going into sc_req_item.list

Peter Williams · ‎07-31-2024

Good Day,

i need to be able to restrict users that is non-itil to prevent them from seeing other ritm request when they go into sc_req_item.list

at the moment they can see this:

i want them to only see items they submitted or of they are apart of the watch list.

i tried the ACL but it doesnt filter the list for it

how can i do this please?

Sumanth16 · ‎07-31-2024

Hi @Peter Williams ,

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.

In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table. A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.

if (!gs.hasRole("itil") && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

Plz mark my solution as Accept, If you find it helpful.

Thanks & Regards,

Sumanth meda

View solution in original post

Sumanth16 · ‎07-31-2024

Hi @Peter Williams ,

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.

In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table. A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.

if (!gs.hasRole("itil") && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

Plz mark my solution as Accept, If you find it helpful.

Thanks & Regards,

Sumanth meda

Peter Williams · ‎07-31-2024

sorry one last thing i need one more Role to exclude this its called Finance_Access

how do i incorporte that i tried this but not working

(function executeRule(current, previous /*null when async*/) {

if ((!gs.hasRole("itil")||!gs.hasRole("Finance_Access")) && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

})(current, previous);

jMarshal · ‎07-31-2024

Careful now, the more you add to your AC, the more risk you assume with overhead to upkeep and potential complication that comes from this.

Have a peek at my response related to Data Filtration features that ServiceNow provides OOB as a part of the platform. - Exploring Data filtration (servicenow.com)

Sumanth16 · ‎07-31-2024

Hi @Peter Williams ,

As @jMarshal mentioned if you have more data , before query business rule will cause performance issue.

Try below code:

if (!(gs.hasRole("itil")||gs.hasRole("Finance_Access")) && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

})(current, previous);