Restrict ACL for the group

armanoj · 3 weeks ago

Hi,

I've one group for Operation that group have role [sn_vdr_risk_asmt.vendor_assessor] in TPRM. This role have access to different table OOB ACL configuration. So, I' want ristrict access to particular table only read access . But this Role [sn_vdr_risk_asmt.vendor_assessor] is a Role in that Operation Group. I want to restrict assess to the particular table without remove the role from the group .

RadhaK432361738 · 3 weeks ago

Hello @armanoj ,

Please try the suggested solution and validate it.

Since the role sn_vdr_risk_asmt.vendor_assessor is already assigned to the Operation group, users are getting access through OOB TPRM ACLs.

If we do not want to remove the role from the group but still want to restrict access, then we should not modify OOB ACLs directly.

The better approach is to create custom Deny-Unless ACLs.

For the required table, create Deny-Unless ACLs for create, write, and delete operations so that Operation group users will have only read access.

For other tables where read access should be restricted, create read Deny-Unless ACLs.

Use ACL Script:

answer = true;

if (gs.getUser().isMemberOf('Operation')) {
answer = false;
}

This way, the role can remain assigned to the group, OOB ACLs are not modified, and access can be restricted based on group membership.

Let me know your feedback in the comments, and if you face any issue, please share the error/details so we can review further.

Thanks.

pr8172510 · 3 weeks ago

Hey @armanoj,

You can restrict access without removing the role by creating a new ACL that overrides the OOB permission for your specific table.


Create a "Deny Unless" ACL on your target table:

Field	Value
Type	record
Operation	read (and separate ones for write/delete)
Table	Your specific table
Decision Type	Deny Unless
Order	200 (higher than OOB ACLs)
Script:
(function executeRule(current, previous) {
    // Only allow read if user is NOT in the Operations group
    answer = !gs.getUser().isMemberOf('Your Operations Group Name');
})(current, previous);


For write/delete operations, simply return false:
(function executeRule(current, previous) {
    // Block all modifications for this group
    answer = false;
})(current, previous);

GlideFather · 3 weeks ago

ahoy @armanoj,

if you want one specific group with a given group role to have read access only while the other groups with that role the full access, then add a condition to he existing ACL to reflect this

Once you proceed you can test it using Access Analyser:

_____
Answers generated by GlideFather. Check for accuracy.

Tanushree Maiti · 3 weeks ago

Hi @armanoj

Navigate to System Security > Access Control and click New.
Configure the new Write ACL:

Type: record
Operation: write
Name: Select the specific table you want to restrict (e.g., sn_vdr_risk_asmt_assessment).

Under the Requires role related list, add the sn_vdr_risk_asmt.vendor_assessor role.
Check the Advanced box and write script

if (gs.getUser().isMemberOf('Operation')) {

answer = false;

} else {

answer = true;

}

Submit it

Note: DO the same steps for Delete and create.

Now create a Read ACL to override OOB ACL

Go to System Security > Access Control (ACL).
Click New.
Fill in the ACL form:

Type: record
Operation: read
Name: Select the specific Table (e.g., [target_table_name].None or *).

In the Requires role related list, add the sn_vdr_risk_asmt.vendor_assessor role.

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti