Logs for Query Business Rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-06-2024 02:44 AM
Hello Community,
I am working on one requirement where I have one category in category field called 'HR' on incident form. When user raise ticket for this category then it should visible only to HR group and a caller person.
I have implemented this requirement using Before Query Business Rule as per the KB article ( https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0790987 ).
However, for future security, is there any way to ensure the solution is working as intended. mean, which user viewed which Incidents on list view.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-06-2024 04:40 AM
Through the transaction log you can check is someone checked on a certain incident, but if you have a QBR and you test it to see if someone else but HR group can see it, what is the need to check on this? The system isn't showing the incidents, so no one else can see them.
With the Xanadu release, the deny-unless ACL's will be a game changer for this. You can just apply a read ACL on the incident table with 'applies to' as 'category = hr' and security attribute as Group (or Group Explicit) = HR. No need for QBR's. You just close it off with ACL's: if you are not part of HR, you can't see incidents on category = HR.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
