Restrict records based on field value in before query business rule

Robbie Lacivita · ‎11-28-2018

I am trying to use a before query business rule to control access to Incidents if a user has a certain role based on a field value. With the way our organization is set up, and the way we need access done, using a business rule makes more sense than using ACLs.

I tried to copy the incident query business rule, and modify it to meet my need, but I can't seem to get it to work. Its currently granting access to all records. I think my issue lies with the qc variable.

We have a table set up that contains all of our systems, which is what I am separating on. I would like to say if the u_system field is system one, then a user with a role System 1 Incident Modify can view those records.

if (gs.hasRole("System 1 Incident Modify") && gs.isInteractive()) {
  var u = new GlideRecord('u_org_systems');
	sys.addQuery('u_org_system_name','CONTAINS','System 1');
	sys.query();
	sys.next();
  var qc = current.addQuery('u_system', u);
  gs.print("query restricted to system: " + u);
}

Thanks!

Robbie

Omkar Mone · ‎11-28-2018

Hi

Try this once :-

if (gs.hasRole("System 1 Incident Modify") && gs.isInteractive()) {
  var u = new GlideRecord('u_org_systems');
	u.addQuery('u_org_system_name','CONTAINS','System 1');
	u.query();
	while(u.next())
{
  var qc = current.addQuery('u_system', u);
  gs.print("query restricted to system: " + u);
}
}

View solution in original post

Nishant16 · ‎08-17-2021

i want to restrict the attachments on Security incident table only to sn_si_analysts, and the attachments created by end user should only see those attachments, below is the script, can someone help what i am doing wriong here?

function executeRule(current, previous /*null when async*/) {

// Add your code here
if (current.table_name == 'sn_si_incident' && !gs.hasRole('sn_si.analyst) && gs.getSession().isInteractive()) {
var u = gs.getUserName();
var q = current.addQuery('sys_created_by', u);
q.addOrCondition('sys_updated_by', u);
gs.log('query restricted for user: ' + u);

}
})(current, previous);

rahulpandey · ‎11-28-2018

Hi,

I think you just wanted restrict it where u_system CONTAINS System 1

if (gs.hasRole("System 1 Incident Modify") && gs.isInteractive()) {
var qc = current.addQuery('u_system', 'CONTAINS', 'System 1'); 
}

Also, ACL is way better option than before business rule, which you may realise in later part of implementation.

Nishant16 · ‎08-17-2021

i want to restrict the attachments on Security incident table only to sn_si_analysts, and the attachments created by end user should only see those attachments, below is the script, can someone help what i am doing wriong here?

function executeRule(current, previous /*null when async*/) {

// Add your code here
if (current.table_name == 'sn_si_incident' && !gs.hasRole('sn_si.analyst) && gs.getSession().isInteractive()) {
var u = gs.getUserName();
var q = current.addQuery('sys_created_by', u);
q.addOrCondition('sys_updated_by', u);
gs.log('query restricted for user: ' + u);

}
})(current, previous);

Nishant16 · ‎08-17-2021

i want to restrict the attachments on Security incident table only to sn_si_analysts, and the attachments created by end user should only see those attachments, below is the script, can someone help what i am doing wriong here?

function executeRule(current, previous /*null when async*/) {

// Add your code here
if (current.table_name == 'sn_si_incident' && !gs.hasRole('sn_si.analyst) && gs.getSession().isInteractive()) {
var u = gs.getUserName();
var q = current.addQuery('sys_created_by', u);
q.addOrCondition('sys_updated_by', u);
gs.log('query restricted for user: ' + u);

}
})(current, previous);