Make Certain incidents only visible to a certain group

Sam Ogden
Tera Guru

‎08-17-2017 05:18 AM

Hi All,

Is it possible to make certain incidents visible only to either people in a certain group or with a certain role?

We have added the field u_created_by_form - and if this is populated with F46 - Information Security Incident we want only members of the cybersecurity team to be able to view these incidents.

These incidents are created via a record producer, so anyone will have access to the record producer, but once submitted we only want the cybersecurity to be able to see the log that has been raised?

Any help is greatly appreciated.

Thanks

Labels:
0 Helpfuls
  • 6,131 Views
5 REPLIES 5

adilrathore
ServiceNow Employee
ServiceNow Employee

‎08-17-2017 05:27 AM

We have a similar discussion posted earlier:



How to make an incident field visible to a particular group users using ACL?


0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron

‎08-17-2017 05:33 AM

Hi Sam,



You can use onQuery business rule to restrict the records shown to logged in user based on role or group membership.



Mark Correct if this solves your issue and also hit Like and Helpful if you find my response worthy based on the impact.


Thanks


Ankur


Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Jaspal Singh
Mega Patron
Mega Patron

‎08-17-2017 05:39 AM

Hi Sam,



You can create a read ACL with condition as



created by is F-46 Information security



& add below code to the script



var answer=false;   //Restrict access by default



if(gs.getUser().isMemberOf('sys_id_of_group') || gs.hasRole('admin'))  


{


answer=true;//Allow access if the User is part of cyber security group or has role admin


}


0 Helpfuls

Patrick Schult2
Giga Guru

‎08-17-2017 05:42 AM

There's 2 ways you can work this kind of functionality - you can use a Business Rule to filter user queries such that they can't find these Incidents, or you could use ACLs so that the users could find them, but not read them, or a combination of both.



For example, if you use the business rule approach, if I was not a member of the cyber security team, I could search for the exact number of the Incident, and not find it, almost like it didn't exist. See Example script: default before-query business rule for an example.



If you used the ACL approach, I could search the Incident # and see that there was a result, but I would not be able to read it.



The business rule is much simpler to configure if you are talking about the Incident [incident] table. There is a bunch of ACLs included with that table by default that you would have to look at and likely modify to accomplish what you are asking for.


0 Helpfuls