Incident business rule - Only viewable by specific team unless assigned to users group

Go to solution
leebooth
Kilo Expert

‎09-05-2017 10:29 AM

Hi All,

I'm still fairly new to ServiceNow, so apologies in advance if I'm missing something obvious.

We created a record producer to output a special type of Incident which will only be viewable by our Cybersecurity team.

A new field was added to incidents 'u_created_by_form', which is populated by the record producer, as an identifier for these types of Incidents.

I created a before query business rule with the following script:

Condition:

!gs.getUser().isMemberOf('Cybersecurity')

Script:

current.addEncodedQuery('u_created_by_form!=F46 - Information Security Incident^ORu_created_by_formISEMPTY');

This worked fine.

If the current user was not a member of Cybersecurity - they would not be able to see "F46 - Information Security Incident" incidents.

I now need to modify this so that a member of the current assignment group can also view. For example, if the Cybersecurity team passed a log to the Admin stack, we would also be able to see the Incident. If it was then assigned back to Cybersecurity - we would lose viewing rights.

This was my initial attempt, but no success.

Condition:

!gs.getUser().isMemberOf('Cybersecurity')

Script:

var currentUserID = gs.getUserID();                 // Get current user ID
var assigned_group = current.assigned_group;       // Get current log assignment group
var groupMember = new GlideRecord('sys_user_grmember');                 // Create Glide Record - group member table
groupMember.addQuery('group', assigned_group);                                   // limit group member table - current assignment group
groupMember.addQuery('user', currentUserID);                                       // limit group member table (current assignment group) - current user
groupMember.query();                                                                 // run query: Is current user a member of the current assignment group?
if(groupMember.next()) {
   // User is in the group - don't apply restriction
}
else {
   // Hide "F46 - Information Security Incident" (but show blanks)
   current.addEncodedQuery('u_created_by_form!=F46 - Information Security Incident^ORu_created_by_formISEMPTY');
}

Can this be done via business rule?

I was hoping to avoid having to modify all the Incident read ACLs!

0 Helpfuls
  • 3,965 Views
1 ACCEPTED SOLUTION

Go to solution
Jochen Geist
ServiceNow Employee
ServiceNow Employee

‎09-05-2017 10:45 AM

The "current" object in a Query Business Rule is the query itself, not a GlideRecord.


Therefore "current.assignment_group" does not work as this field does not exists on the query.



You need to change your current query to another query:


Created by form is not Information Security Incident OR (Created by form is Security AND Assignment Group is one of my groups)



You can build the query via the list view first: https://servicenowgems.com/2015/07/29/tip-for-creating-complex-before-query-business-rules/


View solution in original post

0 Helpfuls
12 REPLIES 12

Go to solution
leebooth
Kilo Expert
In response to Dead Blade

‎09-28-2017 09:18 AM

Okay. So the solution I used was to use a "Before Query Business Rule".



Go into "System Definition" > "Business Rules"


Create New.


Tick the "Advanced" option.


Set to "Before" & tick "Query".


find_real_file.png



Then in the "Advanced" tab you can enter a scrip to tell your business rule what to do.


find_real_file.png


In the "Condition" line you put a piece of code which will tell the business rule WHEN it should apply.


In my example I've used "!gs.getUser().isMemberOf('Facilities')"


What this does is gets the current user & checks if they belong to a team, which you have to pass in. In my case it was our Facilities team.


If your HR group is called HR on your system then you can simply replace 'Facilities' with 'HR'. Important: The "!" at the start means NOT.



So my business rule will only run the script if the current user is NOT in the group "Facilities".



Then you need to add a query in the script which will restrict the view. To do this you need a way to differentiate HR tasks from regular tasks. In my case I made a new field on the tasks called "u_created_by_form" to put the name of the record producer I used. But in theory you could use any of the existing fields e.g. short description, caller, company, etc.



To get your encoded query, go to the table your HR records live in (e.g. tasks / incident) & apply a filter which would hide the records you want to hide. When you're happy you just right click on the filter description (next to the filter icon) and "copy query".


e.g.


find_real_file.png



Then paste that in the brackets of your Business Rule script as shown above.


Note: I wouldn't recommend using short description to handle privacy because if someone changes it then business rule will no longer apply to that record. You want something that can't be changed, ideally.



Result: When the Task (or incident) table is loaded & the current user is not in the specified group, the filter you set up will automatically apply. Effectively, hiding your logs.



Hope this helps you. I tried to give as much info as possible


I would recommend you look into ACL's too. That might be a better way for you to get the job done! But i don't know your exact requirements!


Preview file
102 KB
Preview file
116 KB
Preview file
85 KB

Go to solution
Dead Blade
Kilo Guru
In response to leebooth

‎09-28-2017 09:32 AM

Thank you Lee, I will start working on that.   I totally appreciate it!


0 Helpfuls

Go to solution
leebooth
Kilo Expert
In response to Dead Blade

‎09-28-2017 09:46 AM

No problem. Good luck!


0 Helpfuls