Read ACL not working

Nitesh Balusu · ‎09-08-2019

The requirement is: we have security incidents application.
There is a group called xyz.
1) When an incident is assigned to this group only the caller, opened by and memebers of that group should be able to see incidents assigned to this group.
2) If the incident is reassigned to a different group, then the previous group, new group, the caller and the opened by should see the incident.

Even the first part of the requirement is not working for some reason and I cannot use a before query business rule because they don't support conditions and ACL is not working.

Any thoughts on this please?

Ct111 · ‎09-08-2019

Both the points are conflicting each other.

Should I sum it as both the groups the new one and old one should see the incident ?

Note : Once you write this code isMemberOf('.....') then only the member of that group can see that not the earlier ones.

So comment that line . Anyways reading the incident doesn't give them write unless you have allowed in write ACL.

Mark my ANSWER as CORRRECT n HELPFUL if it helped.

Nitesh Balusu · ‎09-08-2019

Yeah I understand both are conflicting each other. I'd probably give them the 1st part for now, even that isn't working.

So the caller, opened by and members of that assignment group should be able to see the security incident.

The SN Nerd · ‎09-09-2019

When you say "it isn't working" do you mean to say that the caller and group members can read when they shouldn't or can't read when they should??
I'm going to assume the latter.
This is how I would do this:

Requirement 1

Only one ACL needs to pass for someone to have access, so I would lay it out like this to minimise the scripting required

1) ACL for Opened by or Caller

Security Incident - Read

Condition: Assignment group IS security insider AND opened by is DYNAMIC me OR caller is DYNAMIC me

Script: none

2) ACL for group member

Security Incident - Read

Condition: assignment group IS security insider

Script: answer = gs.getUser().isMemberOf('security_insider_threat_global');

You may also need write ACL's.

P.S: It is possible to do with b4 query, let me know if you need help with that.

Requirement 2

I wouldn't do this as it is quite messy, but if you really have to, you would need to create a field that flags when a Security Incident is assigned from the group then back again.
Then, use that flag in your ACL.

ServiceNow Nerd
ServiceNow Developer MVP 2020-2022
ServiceNow Community MVP 2019-2022

Nitesh Balusu · ‎09-09-2019

Hello Paul!

Yes the ACL is just returning true when it is not supposed to, I did try your ACL's as well and still the same is happening. I am curious on how you would achieve requirement 1 using a before query rule. Could you point me in that direction instead? I would choose that over an ACL.

as for requirement 2, I feel the same, I'll just let them know it can't be done.

Thanks!