Limit Unit Manager Group Add

Adeshola
Tera Contributor

I have business rule to restrict any unit managers from add/removing users to groups the unit managers do not belong to except to the units the unit manager belongs to. I have the code snippet below but it's now working:

 

(function executeRule(current, previous /*null when async*/) {

 

    var userID = gs.getUserID();

 

    // Skip for admins

    if (gs.hasRole('admin')) {

        return;

    }

 

    // Only proceed if user has u_unit_manager role

    if (!gs.hasRole('u_unit_manager')) {

        return;

    }

 

    // Ensure group is not empty

    if (!current.group.nil()) {

        var groupGR = new GlideRecord('sys_user_group');

        if (groupGR.get(current.group.toString())) {

 

                 // Check if user is one of the unit managers (list field check)

                var unitManagers = groupGR.u_unit_managers.toString().split(',');

                if (unitManagers.indexOf(userID) === -1) {

                    gs.addErrorMessage("You must be one of the Unit Managers of the group to assign users.");

                    current.setAbortAction(true);

                    return;

                }

 

                // Check if current user is a member of the group

                var membershipGR = new GlideRecord('sys_user_grmember');

                membershipGR.addQuery('user', userID);

                membershipGR.addQuery('group', current.group.toString());

                membershipGR.query();

 

                if (!membershipGR.hasNext()) {

                    gs.addErrorMessage("You can only assign users to groups you are a member of.");

                    current.setAbortAction(true);

                }

            }

        

    }

 

})(current, previous);

2 ACCEPTED SOLUTIONS

Voona Rohila
Kilo Patron
Kilo Patron

Hi @Adeshola 

Try this code

(function executeRule(current, previous /*null when async*/ ) {

    var userID = gs.getUserID();

    // Check if user is one of the unit managers (list field check)
    var unitManagers = current.group.u_unit_managers.toString();
    if (unitManagers.indexOf(userID) == -1) {
        gs.addErrorMessage("You must be one of the Unit Managers of the group to assign users.");
        current.setAbortAction(true);
        return;
    }

    // Check if current user is a member of the group
    if (!gs.getUser().isMemberOf(current.group.toString())) {
        gs.addErrorMessage("You can only assign users to groups you are a member of.");
        current.setAbortAction(true);
    }

})(current, previous);

I have moved the roles check and group empty check to conditions part of the BR.

Please check below: //change your field names accordingly.

VoonaRohila_0-1752127749964.png

VoonaRohila_2-1752127964479.png

 

 

 


Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP

View solution in original post

Community Alums
Not applicable

try with this ...!

(function executeRule(current, previous) {

    var userID = gs.getUserID();

    if (gs.hasRole('admin')) {
        return;
    }

    if (!gs.hasRole('u_unit_manager')) {
        return;
    }

    if (!current.group.nil()) {
        var groupGR = new GlideRecord('sys_user_group');
        if (groupGR.get(current.group.toString())) {

            // Check if user is in u_unit_managers list (reference field)
            var unitManagerGR = new GlideRecord('sys_user_group_manager');
            unitManagerGR.addQuery('group', groupGR.sys_id);
            unitManagerGR.addQuery('manager', userID);
            unitManagerGR.query();

            if (!unitManagerGR.hasNext()) {
                gs.addErrorMessage("You must be one of the Unit Managers of the group to assign users.");
                current.setAbortAction(true);
                return;
            }

            // Check if user is a member of the group
            var membershipGR = new GlideRecord('sys_user_grmember');
            membershipGR.addQuery('user', userID);
            membershipGR.addQuery('group', groupGR.sys_id);
            membershipGR.query();

            if (!membershipGR.hasNext()) {
                gs.addErrorMessage("You can only assign users to groups you are a member of.");
                current.setAbortAction(true);
            }
        }
    }

})(current, previous);

 

 

 

View solution in original post

6 REPLIES 6

We don't need to query group member table again, we already have .isMemberOf() method available which checks if user is part of group or not.

 


Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP

Thank you @Community Alums! This solution also works