Requesting Help on ACL's

surajsironi · 3 weeks ago

Hi All,

Kindly help me how to fix this below ACL's

'helpdesk1' user is member of 'Help Desk-DF', 'HelpDesk-DF' group members will have only snc_internal role , they should able to see incidents
where Help Desk-DF(u_helpdesk_df) field is not empty.

READ ACL: Incident - None -

function() {

    var helpdeskdfgrp = gs.getUser().isMemberOf("Help Desk - DF");
    var logginUser = gs.getUserID();
    var helpdeskdf = !gs.nil(current.u_helpdesk_df);

    if (helpdeskdf && helpdeskdfgrp && logginUser) {
        answer = true;
        return;
    }

    if (helpdeskdf && !helpdeskdfgrp && logginUser) {
        answer = false;
        true;
    }


})();

there are two incident in above screen shot,

now impersonated with 'helpdesk1' user , he is able to see only single record, he is not able to see the incidents where where Help Desk-DF(u_helpdesk_df) field is not empty.

Kindly help me how to make available incident where Help Desk-DF(u_helpdesk_df) field is not empty.

Please share some advices

Ankur Bawiskar · 3 weeks ago

@surajsironi

just changing ACL won't help.

If you don't update the OOTB query BR then that user won't see data as it might be restricted due to query BR

There is an OOTB query BR on incident table, there also you need to update the logic there as well

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · 3 weeks ago

@surajsironi

Hope you are doing good.

Did my reply answer your question?

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader

surajsironi · 3 weeks ago

Hi @Ankur Bawiskar , thanks for reply.
this is OOB Query code
my opinion is better to use ACL rather than using Query BR

So deactivated below OOB Query Business rule.

restrictIncidents();
function restrictIncidents() {
	if (!gs.hasRole("itil") && !gs.hasRole("sn_incident_read") && gs.isInteractive()) {
		//Do NOT restrict Incidents if user has the service_viewer role.
		if (gs.hasRole('service_viewer'))
			return;
		if (GlidePluginManager.isActive('sn_fsm_itsm_mng') && gs.hasRole('wm_ext_agent'))
			return;
		// STRY52118544: ham_user is added to support incident read for reporting on HAM store app
		if (GlidePluginManager.isActive('com.sn_hamp') && gs.hasRole('sn_hamp.ham_user')) {
			return;
		}
		// DEF0330091: Allow query on OT Incident with sn_ot_incident_read role
		if (GlidePluginManager.isActive('com.sn_ot_inc_mgmt') && gs.hasRole("sn_ot_incident_read"))
			return;

		// Responders should be able to access all incidents 
		if (gs.hasRole("sn_sow_srm.srm_responder")) {
			return;
		}
			
		var u = gs.getUserID();
		current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);
	}
}

Created new READ ACL - Table -None-

(function() {
	var helpdeskdfgrp = gs.getUser().isMemberOf("Help Desk - DF");
    var helpdeskdf = !gs.nil(current.u_helpdesk_df);

    if (helpdeskdf && helpdeskdfgrp) {
        answer = true;
        return;
    }

    if (helpdeskdf && !helpdeskdfgrp) {
        answer = false;
        true;
    }
	
})();

Still not working

surajsironi · 3 weeks ago

can I expect any suggestions please