Limit access to Requested Items based on Role

tahnalos · ‎04-22-2024

Hi there. We have a special ask regarding certain items in the Service Catalog.

We are aware of the User criteria function, but what this does is to limit access to the Catalog item for users when they are requesting items. The situation I am dealing with here is different.

What we want to do is to limit certain requested Items to certain assignment groups. Based on how we interpret the User Criteria function, this won't do what we want, as this limits the front end and we want to limit who can access on who can actually work on the item and their requested tasks.

I notice that the Service Categories form has a Role Field so wondering if it can be set up using ACLs to limit access to these items based on those who have a certain role. Would that work?

James Chun · ‎04-22-2024

Hi @tahnalos,

So you would like to limit fulfillers' access to RITMs and SCTASKs.

There are a few ways to do it, and ACL would be my least favourite.

Control access to variables via the 'Read roles'. I believe the users will still have access to the RITMs/SCTASKs but not the variables.

Data filtration - create a new 'Role Filter Criteria' and apply it to your records.

https://docs.servicenow.com/bundle/washingtondc-platform-security/page/administer/security/concept/d...

You can also create custom ACL and/or Query Business Rule but they would be my last pick

Cheers

View solution in original post

tahnalos · ‎04-23-2024

Hi James, just so that I am aware of this, this is what I'm thinking, so feel free to correct me if I'm wrong.

As it turns out, we already have roles in place for certain groups to have access to our system, so if we have a group of Requested Items for ABC process, and the role is abc_role we could define it as the following:

Subject Condition: Subject Role is abc_role

Security Attribute: (I'm not sure what this refers to, maybe you could assist me with some details?)

Data Filter: Item.Category is ABC.

Theoretically, this should mean that only those with the abc_role should have access to Requested Items that are from Catalog Items from ABC Categorization.

Can you confirm this for me?

Thanks

James Chun · ‎04-23-2024

Hi @tahnalos,

My understanding is that 'Security Attribute' is just another way of defining user information that can be used in access control (including data filtration).

For your use case, you either

Create a new subject condition and apply it to the Data Filtration record,OR
use the 'Role' Security Attribute Condition and set it to your custom role

e.g.

And yes, theoretically it will prevent access to the records. Make sure you create the same for SCTASK (if required) and validate if end users can access their own records. You may need additional conditions such as is not opened by me, is not requested for me something along these line.

Cheers

tahnalos · ‎04-23-2024

Regarding conditions such as "opened by me", where do I find them? On my personal instance, I can't seem to find these conditions in any of the filters that are provided.

The intent is that the Requested item should be available to not only the person requesting it, but also the group that needs to work on it, no one else.

James Chun · ‎04-23-2024

I meant the 'Data condition' something like the following:

Try it without the 'opened by' filter first, and see if that still allows the requestor to access the RITMs.

If it doesn't work, I think you can either modify the existing Data Filtration's data condition OR create a new Data Filtration that grants access to the requestor.

tahnalos · ‎04-23-2024

Right. Thanks for your help