Prevent a users with a custom role from seeing incidents outside an assignment group

Go to solution
snow2p
Tera Expert

‎01-03-2025 01:37 PM

Hi,

I have a custom role called "aa_test" that only needs to see and update incidents with an assignment group "Network".  I have setup a data filtration record below which works with side effect that are more than I bargained for:

snow2p_0-1735932549677.png

It works so that users with that role can only see "Network" assignment group, but it also prevents admin, and other users from seeing anything but the "Network" assignment group incidents.

 

I tried to follow the instructions from the community post here to also exclude the itil role, but Role Criteria and subject criteria appear to allow 'is' conditions but not 'is NOT' conditions, at least for me.

 

Can someone suggest and show a screenshot of how I can limit views by my custom role AND still allow other roles to be unaffected?

0 Helpfuls
  • 847 Views
1 ACCEPTED SOLUTION

Go to solution
snow2p
Tera Expert

‎03-14-2025 04:58 PM

In case anyone cares, I was able accomplish this with the following ACLs AND I was able to do this without code, per my original desire.

ACLs for the my custom role:

  • incident(read)
  • sys_db_object(read)
  • sys_db_object.*(read)
  • sys_dictionary(read)
  • sys_dictionary.*(read)

The incident (read) ACL has a data condition that provided the limitation that finally worked.

snow2p_0-1741996639434.png

 

View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎01-03-2025 10:04 PM

@snow2p 

if this is for incident table then there is already a query BR on incident table

You can enhance it further

restrictIncidents();

function restrictIncidents() {
    if (!gs.hasRole("itil") && !gs.hasRole("sn_incident_read") && gs.isInteractive()) {
        //Do NOT restrict Incidents if SPM premium plugin is active AND user has the service_viewer role.
        if (GlidePluginManager.isActive('com.snc.spm') && gs.hasRole('service_viewer'))
            return;
        if (GlidePluginManager.isActive('sn_fsm_itsm_mng') && gs.hasRole('wm_ext_agent'))
            return;
        // STRY52118544: ham_user is added to support incident read for reporting on HAM store app
        if (GlidePluginManager.isActive('com.sn_hamp') && gs.hasRole('sn_hamp.ham_user')) {
            return;
        }
        // DEF0330091: Allow query on OT Incident with sn_ot_incident_read role
        if (GlidePluginManager.isActive('com.sn_ot_inc_mgmt') && gs.hasRole("sn_ot_incident_read"))
            return;

        // Responders should be able to access all incidents 
        if (gs.hasRole("sn_sow_srm.srm_responder")) {
            return;
        }

        var u = gs.getUserID();
        if (gs.hasRole('aa_test')) {
            current.addQuery('assignment_group.name', 'Network');
        } else {
            current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);
        }
    }
}

you will also have to ensure table.None WRITE ACL is updated with similar logic so that they can write only to their tickets

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ankur Bawiskar

‎01-05-2025 05:26 AM

@snow2p 

Hope you are doing good.

Did my reply answer your question?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
snow2p
Tera Expert
In response to Ankur Bawiskar

‎01-09-2025 08:29 AM

Hi Ankur,

I'm trying to minimize code to make the configuration transferrable. Can the business rule be built w/o using the advanced tab? Also, do you know if the data filtration I tried can be modified (also no code)? The risk with code is that there is no guarantee that one admin will have the skills of another and I've run into admins who freeze projects for weeks or months until they are able to understand custom code. 

0 Helpfuls

Go to solution
Runjay Patel
Giga Sage

‎01-03-2025 10:40 PM

Hi @snow2p ,

 

You can create before query business rule and use below code.

(function executeRule(current, previous /*null when async*/) {
    if (gs.hasRole('aa_test')) {
        // Restrict query to "Network" assignment group
        current.addQuery('assignment_group', 'Sys_id of Network group'); // replace with sysid of Network group
    }
})(current, previous);

 

-------------------------------------------------------------------------

If you found my response helpful, please consider selecting "Accept as Solution" and marking it as "Helpful." This not only supports me but also benefits the community.


Regards
Runjay Patel - ServiceNow Solution Architect
YouTube: https://www.youtube.com/@RunjayP
LinkedIn: https://www.linkedin.com/in/runjay

-------------------------------------------------------------------------

0 Helpfuls