restrict access to tickets

jna2756
Tera Expert

‎07-11-2016 10:39 AM

Hi All,

I am trying to restrict users from being able to read tickets if they are marked restricted(custom true/false field) unless they are member of the group the ticket is in or is the "requested for".

I believe the best method would be to use a on-before Query Business Rule however I am having trouble getting the "addQuery" right.

I want to do the following with addQuery rather than addEncodedQuery as the addEncodedQuery doesn't seem to work right in the script section.

Encoded Query: u_restrict=true^assignment_groupDYNAMICd6435e965f510100a9ad2572f2b47744^ORu_requested_forDYNAMIC90d1921e5f510100a9ad2572f2b477fe^NQu_restrict=false

find_real_file.png

is it possible to do this with an addQuery statement?

Any help would be appreciated.

Thanks,

Joshua Anderson

Labels:
Preview file
25 KB
0 Helpfuls
  • 2,372 Views
23 REPLIES 23

jna2756
Tera Expert
In response to Chuck Tomasi

‎07-14-2016 06:06 AM

Hey Chuck,



It seems to be someting in specific with the "Or" condition at the end.



find_real_file.png


The bolded part of the code seems to be messing up


current.addEncodedQuery('u_restrict=true^assignment_groupDYNAMICd6435e965f510100a9ad2572f2b47744^ORu_requested_forDYNAMIC90d1921e5f510100a9ad2572f2b477fe^NQu_restrict=false');



is it possible to right the above query with "addQuery" and "addOrQuery"?



Thanks,


Joshua Anderson


Preview file
25 KB
0 Helpfuls

Chuck Tomasi
Tera Patron
In response to jna2756

‎07-14-2016 06:14 AM

Good detective work Joshua!



Yes, GlideRecord has an addOrCondition() method that can be used. I don't use it much because it gets rather messy with complex conditions.   That's when I usually turn to the addEncodedQuery() method.



You MAY be able to the first part as an encoded query, or series of addQuery calls, then tack on the addOrCondition() at the end since it is pretty simple in that respect.



GlideRecord - ServiceNow Wiki


0 Helpfuls

jna2756
Tera Expert
In response to Chuck Tomasi

‎07-14-2016 06:20 AM

Hi Chuck,



Thanks for the suggestion, I will try that.



Also, while digging I did find that "^NQ" part of the encoded query is actually a known problem with no workaround.



ServiceNow KB: PRB647484: Using operator (^NQ) in encoded queries causes incorrect reference links i...



Thanks,


Joshua Anderson


Joshua Cassity
Kilo Guru
In response to Chuck Tomasi

‎04-24-2017 06:18 AM

Can you provide an example of this?



We're having the same issue and our encoded query is a bit of a beast.. lol.



find_real_file.png



We're snagging the logged in user's department and putting it into the userDept variable.



Essentially we're trying to achieve the following:



If an Incident is Not Sensitive we want to show the user records to the logged in user where they are the caller, their department matches the caller's department, or the assignment group's department matches their department.



OR



If an Incident is Sensitive we want to show the user records to the logged in user where they are the caller or they are a member of the assignment group currently assigned within the Incident record.



Our Full Code is here: Before Query Business Rule on Incident Management Breaks System


Preview file
6 KB
0 Helpfuls

TrevorK
Kilo Sage

‎07-11-2016 12:45 PM

I am assuming you have considered this - but why wouldn't you just use an ACL?




I assume with the Business Rule based solution you are more removing them from plain view rather than removing the ability to access them, and if the user were to receive an email with a link to the item, then they would be able to open the item.



Whereas the ACL would lock it down so they could not read the item, no matter how hard they try or what links they have. Not only that, but it would be the fastest solution (performance wise) as well. The downside is that they will receive a message indicating something to the effect of "rows removed due to security constraints".


0 Helpfuls