How to trace which Business Rules are triggered from a Portal view?

Paul Douglas · ‎07-12-2017

Hi all,

Just coming to grips with ServiceNow (go easy on me!) and have a few questions regarding portal and Business Rules.

I've created a custom portal view for customers (users with no roles assigned at all for testing) to log New Incidents. This view is essentially the "ess" view with a few additional fields. By default, though, these users appear to be redirected to the OOB "ess" view and not my "customer_support" view in portal. After digging around the backend I believe there are a couple of Business Rules that are at play here, notably "incident functions" and "incident query" and a function within called incidentGetViewName - (but there may be more?). The logic here appears to be saying, if a user has ITIL role then go to whatever view has been defined. If NOT ITIL role then force the "ess" view.

So for my own understanding (obviously - who elses' am I here for?) and a better grasp on Best Practices I was hoping someone might be able to advise/comment on the following:

In the backend I am aware of "Debug Business Rule" and "Debug Business Rule (Details)" to assist in seeing what Business Rules are firing when moving around the backend forms and views. However, in portal, whether logged in as a customer (or Impersonating a customer), is there a way I can easily see what Business Rules are firing? And for that matter UI Policies etc too? I feel quite clumsy randomly searching and browsing the Business Rules for ones of interest...
I could avoid these Business Rules by giving Customers ITIL role and then somehow else (through perhaps domain or some other mechanism) differentiate between Customers and non-customers but the ITIL role is not something a typical customer-logging-incidents type role should have right?
Another option is to simply modify the "ess" view itself rather than creating a custom view but I have previously been sensibly advised that it's best to avoid modifying Out of the Box elements when possible. I also imagine a future hypothetical scenario where I might need multiple custom views for various customer groups and so would require multiple "ess"-based views anyway so would still require a better solution...
I could clone the Business Rule(s) in question, deactivate the original ones (so still have original backup) and modify the logic to suit. However this *feels* like overkill for something I assumed would be quite common and basic and shouldn't require meddling in code.
I could add a new Business Rule with a higher Order that effectively overrides the logic of the Business Rules in question but again this *feels" a little overkilly/dirty?

Any advice or comments on any/all of these points would be much appreciated.

Cheers and thanks

Paul

Andras Kisgyorg · ‎07-12-2017

Hello Paul,

Welcome to the ServiceNow community!

I agree to your approach regarding the OOB elements and that's right it's always better to add some config on top of the existing rather than modifying OOB settings.

With regards to your points, I looked at the incident functions business rule which is a global one so it runs on every table and indeed it drives end users towards to the ess view. However, luckily it allows some flex to use your own "ess" views, as it contains a condition to leave alone your view setting if it starts with ess!

So apparently it supports the use an "ess_yourview" naming convention when you wish to setup your own views for self-service, shoudl you wish to leave the OOB ess view untouched.

I suggest to explore the "View Rules" functionality of the platform, where you can define or script conditions as to which view to render under given conditions.

Docs: Create a view rule

As to point (2) end users definitely should not have roles, should not have the ITIL role. User having such role has licence and cost implications (for accurate and up to date information please ask your ServiceNow representative).

Your points (3) and (4) may not be necessary considering the above.

As to point (5), creating business rules with different orders do not necessarily override each other, it defines in what order they run, it is their 'when to run' and 'condition' field which dictates if they get triggered or not.

Please let me know if the above helps.

A.

View solution in original post

Andras Kisgyorg · ‎07-12-2017

Hello Paul,

Welcome to the ServiceNow community!

I agree to your approach regarding the OOB elements and that's right it's always better to add some config on top of the existing rather than modifying OOB settings.

With regards to your points, I looked at the incident functions business rule which is a global one so it runs on every table and indeed it drives end users towards to the ess view. However, luckily it allows some flex to use your own "ess" views, as it contains a condition to leave alone your view setting if it starts with ess!

So apparently it supports the use an "ess_yourview" naming convention when you wish to setup your own views for self-service, shoudl you wish to leave the OOB ess view untouched.

I suggest to explore the "View Rules" functionality of the platform, where you can define or script conditions as to which view to render under given conditions.

Docs: Create a view rule

As to point (2) end users definitely should not have roles, should not have the ITIL role. User having such role has licence and cost implications (for accurate and up to date information please ask your ServiceNow representative).

Your points (3) and (4) may not be necessary considering the above.

As to point (5), creating business rules with different orders do not necessarily override each other, it defines in what order they run, it is their 'when to run' and 'condition' field which dictates if they get triggered or not.

Please let me know if the above helps.

A.

Paul Douglas · ‎07-12-2017

Woah - thanks so much Andras!

That really helps and clarifies the direction I'm heading. I've simply renamed my view from "customer_support" to "ess_customer_support" for now and that certainly does allow that view to be exposed to the no role end user.

That however does bring up another issue. The form includes the Urgency and Impact fields (which in turn will determine the underlying Priority field value).

Now the Urgency field has been marked as read only (the Impact field is not) and I see there is (presumably an OOB) Access Control Rule called "task.urgency" that requires either itil or task_editor roles for write access. As a test I added the task_editor role to my end user and it did indeed allow me to then change that field on the frontend.

Again, I was assuming the end users would not require any roles in order to be able submit Incidents so do you have any advice as to how best make the Urgency field writable without having to add roles to end users? I do not have security_admin role which I understand you need to be able to elevate to if wanting to add/edit ACLs anyway.

And I'd assume trying to tackle this via UI Policies or Scripts - since they are client side - would have no affect on allowing this field from being written to even if the field was "unlocked" and selectable on the frontend anyway?

Thanks again.

PS. The instance I'm working on is Helsinki

Andras Kisgyorg · ‎07-13-2017

HI Paul,

I'm glad that it helped you with your ess view!

Yes, that's right and ACLs have key importance when it comes to security and controlling access to data in the system. There may be several reasons for these built-in rules already, in that case you mention, I think the thought process could be, that

end users, when they submit an incident, they should be able to indicate the impact of the incident on them, but allowing them to set the urgency same time would give them full control to determine both of the 2 factors which calculate the given incident priority.

So here the task.urgency ACL you mention may have such logic behind it.

With that said, however, given your use case you may want to open up the urgency - take a look at the OOB incident.impact ACL,

the one which has it's condition caller_id=javascript:gs.getUserID()^ORopened_by=javascript:gs.getUserID()^EQ.

This allows the impact field to be editable to end users (with no role), given the condition that they can only edit their tickets where they are the caller or they are the one who opened the ticket. This restriction has key importance when dealing with end-users who have no role.

An ACL on incident.urgency with condition caller_id=javascript:gs.getUserID()^ORopened_by=javascript:gs.getUserID()^EQ

could open up the urgency field for editing, masking the existing task.urgency (provided incident table here is extended from task table):

I do not recommend using Client scripts and UI policies for securing fields, as they are only rendering in a browser and do not block all the ways data can be accessed, and since users browsers running locally are out of control these scripts can even be bypassed.

Use of Client scrips should be minimized where possible for faster form loads, and UI policies are more there to deliver some business logic on the form (e.g. if I have a laptop I can pick a keyboard layout field, if I have a tablet I cannot) not to restrict or control access to a field.

Hope this helps,

Best regards,

A.

Paul Douglas · ‎07-16-2017

Thanks again Andras.

Initially I was trying to solve this particular issue without the ability to elevate my role to security_admin - hence the question around how this would be handled without being able to modify/edit ACLs. Thankfully though I was able to have that role assigned to me by an employee with the default "admin" access after explaining the issue I faced. And from there I pretty much did as you mentioned above re: creating a new ACL for incident.urgency and am able to continue on my merry way.

Cheers for the assistance and it's encouraging to see such good help is available within this community!