Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Incident Access Restriction Using ACL and Custom Roles

Go to solution
Singhdeep70
Tera Contributor

3 weeks ago

How do you allow a non-ITIL user to view all incidents, restrict confidential incidents to an elevated role using a table-level ACL, and switch their view from Self-Service to Service Desk?

0 Helpfuls
  • 570 Views
2 ACCEPTED SOLUTIONS

Go to solution
pr8172510
Giga Guru

3 weeks ago

 

Hi Singhdeep70,

You can achieve this using custom roles + table ACL + UI access control

1. Allow non-ITIL users to view incidents

  • Create a role:

 

           incident_viewer
     Create Read ACL on Incident [incident]
  • Operation: read
  • Role: incident_viewer

 This gives read access without ITIL.

2. Restrict confidential incidents

  • Create field:

 

u_confidential (True/False)
 

 

  • Create table-level Read ACL (script):

 

 
answer = !current.u_confidential || gs.hasRole('x_confidential_access');
 

 

  • Create role:

 

 
x_confidential_access
 

 

Result:

  • Normal users → cannot see confidential records
  • Elevated role → can see all

3. Switch from Self-Service to Service Desk

  • Assign role:

 

 
sn_incident_read
 

 This automatically gives Agent/Service Desk view (no need for full ITIL)

OR

  • Create a module pointing to Incident with Service Desk view

View solution in original post

Go to solution
Aditya_hublikar
Mega Sage

3 weeks ago

Hello @Singhdeep70 ,

 

To show(read) non-itil user all record create new acl incident.none operation:read and role:non-itil(in my case here it is Role1) and add condition like confidential field is empty (in my case here it creator grp)

acl1.png

 

Created another acl for confidential records  where added condition like Confidential field is not empty (in my case i used creator grp field on basis of that im deciding to show that confidential record or not ) 

(if you want to allow only for security_admin remove itil role then from here)

acl2.png

 

Also updated incident query (ootb query br to see all records )

acl3.png

 

 

output :

For Role1

acl4.png

 

 

For security admin  & itil :

acl5.png

 

 

If this helps you then mark it as helpful and accept as solution.

Regards,

Aditya

 

 

View solution in original post

4 REPLIES 4

Go to solution
pr8172510
Giga Guru

3 weeks ago

 

Hi Singhdeep70,

You can achieve this using custom roles + table ACL + UI access control

1. Allow non-ITIL users to view incidents

  • Create a role:

 

           incident_viewer
     Create Read ACL on Incident [incident]
  • Operation: read
  • Role: incident_viewer

 This gives read access without ITIL.

2. Restrict confidential incidents

  • Create field:

 

u_confidential (True/False)
 

 

  • Create table-level Read ACL (script):

 

 
answer = !current.u_confidential || gs.hasRole('x_confidential_access');
 

 

  • Create role:

 

 
x_confidential_access
 

 

Result:

  • Normal users → cannot see confidential records
  • Elevated role → can see all

3. Switch from Self-Service to Service Desk

  • Assign role:

 

 
sn_incident_read
 

 This automatically gives Agent/Service Desk view (no need for full ITIL)

OR

  • Create a module pointing to Incident with Service Desk view

Go to solution
Ankur Bawiskar
Tera Patron

3 weeks ago

@Singhdeep70 

what do you mean by non-itil users?

End user who raise incident don't have itil role but still they can see the INCs from portal

what's your exact business requirement?

Remember you will have to make changes to Table level ACLs + Query BR on incident table

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Vaibhav Chouhan
Tera Guru

3 weeks ago

You can achieve this by combining ACLs, roles, and role based view configuration.

  • Give the non ITIL user read access to the Incident table through a custom role so they can see all incidents.
  • Then create a table level or field level ACL with a condition or script to restrict confidential incidents, allowing access only to users with an elevated role. You can do it with a custom field like u_confidential, then create an ACL with condition or script like if confidential true then check for elevated role.
  • For the UI, assign the required workspace or fulfiller roles to your custom role so the user gets access to the Service Desk or Workspace experience.
0 Helpfuls

Go to solution
Aditya_hublikar
Mega Sage

3 weeks ago

Hello @Singhdeep70 ,

 

To show(read) non-itil user all record create new acl incident.none operation:read and role:non-itil(in my case here it is Role1) and add condition like confidential field is empty (in my case here it creator grp)

acl1.png

 

Created another acl for confidential records  where added condition like Confidential field is not empty (in my case i used creator grp field on basis of that im deciding to show that confidential record or not ) 

(if you want to allow only for security_admin remove itil role then from here)

acl2.png

 

Also updated incident query (ootb query br to see all records )

acl3.png

 

 

output :

For Role1

acl4.png

 

 

For security admin  & itil :

acl5.png

 

 

If this helps you then mark it as helpful and accept as solution.

Regards,

Aditya