Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Query BR to restrict ritm of specific catalog item for non assignment group members

rambo1
Tera Guru

‎10-15-2024 11:16 PM

Hi Team ,

 

I would like to restrict ritms of specific catalog item to any user who is not member of assignment group and who is not member of group named 'x'

0 Helpfuls
  • 414 Views
3 REPLIES 3

Omkar Mone
Mega Sage

‎10-15-2024 11:22 PM

Why are you looking for Query BR? you can go with ACL. 

 

Write a read acl on sc_req_item and write the code in script box to check for assignment group.

0 Helpfuls

rambo1
Tera Guru
In response to Omkar Mone

‎10-16-2024 12:01 AM

its mandatory to provide role in ACL , I dont have any role to give in acl. and query BR is recommended as OOTB ACL's might provided access

0 Helpfuls

Omkar Mone
Mega Sage
In response to rambo1

‎10-16-2024 02:25 AM

You could have something like this - 

 

current.addQuery((new RITMRestrictionHelper()).getValidRITMs(current));
 
Script include - 
 
var RITMRestrictionHelper = Class.create();
RITMRestrictionHelper.prototype = {
    initialize: function() {},

    getValidRITMs: function(current) {
        var userId = gs.getUserID();
        var groupXId = 'sys_id'; // Replace with the Sys ID of group 'x'

        // Log the current user ID for tracking
        gs.info("RITMRestrictionHelper: Current User ID: " + userId);

        // Get the assignment group from the current RITM
        var grGroupMember = new GlideRecord('sys_user_grmember');
        grGroupMember.addQuery('user', userId);
        grGroupMember.addQuery('group', current.assignment_group); // Check if user is in the RITM's assignment group
        grGroupMember.query();

        // Construct the query to return allowed RITM sys_ids
        var allowedRITMIds = [];

        if (grGroupMember.hasNext()) {
            // User is part of the assignment group, allow all RITMs for that group
            gs.info("RITMRestrictionHelper: User is part of the assignment group: " + current.assignment_group);
            allowedRITMIds.push(current.assignment_group);
        } else {
            // User is not part of the assignment group, check for group 'x'
            var grGroupX = new GlideRecord('sys_user_grmember');
            grGroupX.addQuery('user', userId);
            grGroupX.addQuery('group', groupXId); // Check if user is in group 'x'
            grGroupX.query();

            if (!grGroupX.hasNext()) {
                gs.info("RITMRestrictionHelper: User is NOT a member of group 'x', proceeding to allow other RITMs.");
                var ritmGr = new GlideRecord('sc_req_item');
                ritmGr.addQuery('assignment_group', '!=', groupXId); // Exclude RITMs assigned to group 'x'
                ritmGr.query();

                while (ritmGr.next()) {
                    allowedRITMIds.push(ritmGr.sys_id);
                }
                gs.info("RITMRestrictionHelper: Allowed RITM sys_ids: " + allowedRITMIds.join(', '));
            } else {
                gs.info("RITMRestrictionHelper: User is a member of group 'x', restricting access.");
            }
        }

        // Return query string for the allowed RITM sys_ids
        if (allowedRITMIds.length > 0) {
            gs.info("RITMRestrictionHelper: Returning allowed RITM query: sys_idIN" + allowedRITMIds.join(','));
            return 'sys_idIN' + allowedRITMIds.join(',');
        } else {
            gs.info("RITMRestrictionHelper: No allowed RITMs found, restricting access.");
            return 'sys_id=-1'; // If no allowed RITMs, restrict access
        }
    },

    type: 'RITMRestrictionHelper'
};

 

You might need to tweak it a bit go get the outcome as I had tried it on my PDI for incident.

 
 
0 Helpfuls