Parent Group members able to see Incidents of their Group and all child Groups

AnilM99 · ‎07-04-2024

Hi Team,

I have a requirement

1. Parent group members can see their incidents and all child group incidents.

2. Child group members can only see their group incidents, but they should not see their parent groups or the other groups.

3. The above conditions should apply only for the ServiceDesk group and their child groups. This should not effect the other groups.

Thanks,

Anil!

Its_Azar · ‎07-04-2024

Hi there @AnilM99

you can use Access Control (ACL) rules and advanced scripting to control the visibility of incidents based on group hierarchy. Create an ACL script for the Incident table that checks if the current user belongs to the parent group or any child groups. Use the GlideRecord API to verify membership and modify the query accordingly.

Add a condition in the ACL script to apply these rules only to the ServiceDesk group and its child groups.

(function() {
   
    var user = gs.getUser();
    var userGroups = user.getMyGroups();

    
    var parentGroup = 'ServiceDesk';
    var childGroups = ['ServiceDeskChild1', 'ServiceDeskChild2'];

 
    var isParentGroupMember = userGroups.indexOf(parentGroup) !== -1;
    var isChildGroupMember = childGroups.some(group => userGroups.indexOf(group) !== -1);

    if (isParentGroupMember) {
      
        return true;
    } else if (isChildGroupMember) {
       
        var incidentGroup = current.getValue('assignment_group');
        return childGroups.indexOf(incidentGroup) !== -1;
    }

    /    return false;
})();

If this helps kindly accept the response thanks much.

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,

Mohamed Azarudeen Z

Developer @ KPMG

 Microsoft MVP (AI Services), India

AnilM99 · ‎07-09-2024

Hi @Its_Azar

Thanks for the reply,

I created table level read ACL but not working

Thanks

Community Alums · ‎07-09-2024

Hi Anil,

As Azar suggested you need to create an ACL and have a advance script to return if member can read.

Try the below code-

(function() {
    var parentGroupName = 'ServiceDesk'; // Parent Group Name
    var childGroups = ['ServiceDeskChild1', 'ServiceDeskChild2']; // Child Groups Names

    // Get user groups
    var user = gs.getUser();
    var userGroups = user.getMyGroups();

    // Check if user is in parent group
    var isParentGroupMember = userGroups.some(function(group) {
        return group == parentGroupName;
    });

    // Check if user is in any child group
    var isChildGroupMember = userGroups.some(function(group) {
        return childGroups.indexOf(group) !== -1;
    });

    // Get the incident's assignment group
    var incidentGroup = current.getValue('assignment_group');
    
    // Get group name from sys_id
    var incidentGroupName = '';
    if (incidentGroup) {
        var gr = new GlideRecord('sys_user_group');
        if (gr.get(incidentGroup)) {
            incidentGroupName = gr.name.toString();
        }
    }

    // Allow parent group members to see incidents from parent and child groups
    if (isParentGroupMember) {
        return incidentGroupName == parentGroupName || childGroups.indexOf(incidentGroupName) !== -1;
    }

    // Allow child group members to see their own incidents only
    if (isChildGroupMember) {
        return childGroups.indexOf(incidentGroupName) !== -1;
    }

    // Default deny
    return false;
})();

You need to create 2 ACLs table.none and also table.*

Also review the existing ACLs.

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

Thanks & Regards,

Sanjay Kumar