Restrict read access to records based on cat item

conanlloyd
Giga Guru

‎01-05-2022 05:49 AM

I have been asked to restrict read access to the sc_req_item table to only show records to users with the wis_api role to only see RITMs where the RITM item fullfillment group is Windows Info Services or the RITM assignment group is Windows Info Services.

I created this ACL:
find_real_file.png

but still cannot see any records when I impersonate the user with the role. Instead I get this:
find_real_file.png

 

Any thoughts?

Labels:
Preview file
40 KB
Preview file
34 KB
0 Helpfuls
  • 852 Views
6 REPLIES 6

Mohit Kaushik
Mega Sage
Mega Sage

‎01-05-2022 05:57 AM

Hi @conanlloyd ,

Could you please tell me what type of ACL you are using here. Is it NONE or * for read operation. And please verify if there is any other acl which is written on sc_req_item table to read the records.

Please share the screenshot of your ACL fully.

 

Please mark this correct and helpful, if it solves your query or lead you in correct direction.

 

Thanks,

Mohit Kaushik

Thanks,
Mohit Kaushik
ServiceNow MVP (2023-2025)
0 Helpfuls

shloke04
Kilo Patron

‎01-05-2022 05:59 AM

Hi,

Please create a table level Read Operation ACL on RITM table and use the script below:

var getRITMGroup = current.assignment_group.getDisplayValue();
var getFulGroup = current.item.fulfillment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getRITMGroup) || gs.getUser().isMemberOf(getFulGroup)){
	answer = true;
}else{
	answer =false;
}

find_real_file.png

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke
Preview file
84 KB
0 Helpfuls

shloke04
Kilo Patron
In response to shloke04

‎01-05-2022 06:02 AM

You need to validate of current Logged in USer is part of that group or not which is selected in Assignment Group or Fulfilment Group to decide if records need to be shown or not.

Also, I noticed the backend Name of Fulfillment Group is "group" so you need to modify your script shared above. Please use the version below:

var getRITMGroup = current.assignment_group.getDisplayValue();
var getFulGroup = current.item.group.getDisplayValue();
if(gs.getUser().isMemberOf(getRITMGroup) || gs.getUser().isMemberOf(getFulGroup)){
	answer = true;
}else{
	answer =false;
}

Please let me know in case you are facing an issue.

 

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke
0 Helpfuls

conanlloyd
Giga Guru
In response to shloke04

‎01-05-2022 06:22 AM

The user in question is not a member of the group and won't be.  The purpose of this is to restrict api access to only the records that are assigned to that group or where the group is the fulfiller group on the cat item for the RITM

0 Helpfuls