Restrict the users to access the portal page or catalog item if they are not part of the record

Amit Rao
Tera Expert

9 hours ago

Hi Experts,

 

Issue - the other users who are not part of the record can still view the page or catalog item associated with it,

they should get an 'Access Denied' error.

When a user tries to open the catalog item and is part of the record then user is able to view the record details which is expected but this user shares this page link to other user who is not part of the record and the other user is able to view the page and catlog item.

Users that should be able to a access  the item:
Manager (u_manager)
Program manager(u_prg_manager)
Lead(u_lead)

0 Helpfuls
  • 221 Views
11 REPLIES 11

Ravi Gaurav
Giga Sage
Giga Sage

8 hours ago

Hi @Amit Rao 

 

You can use OOTB user Criteria ( Available for ) option on ServiceCatalog.. and in the Advance Section you can call the below script Include:

Give it a try and keep me posted:

 

Sript Include :-

 

var CatalogAccessCheck = Class.create();
CatalogAccessCheck.prototype = {
initialize: function() {},

canAccessCatalog: function() {
var userId = gs.getUserID();
var gr = new GlideRecord('sys_user');
gr.get(userId);

// Example logic: check if user is in manager, program manager, or lead fields
// Assuming these are custom reference fields on sys_user table
if (gr.u_manager == true || gr.u_prg_manager == true || gr.u_lead == true) {
return true;
}

return false;
},

type: 'CatalogAccessCheck'
};

And in the advance section of User Criteria call this:
var checker = new CatalogAccessCheck();
return checker.canAccessCatalog();

 

--------------------------------------------------------------------------------------------------------------------------


If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!

Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI

 YouTube: https://www.youtube.com/@learnservicenowwithravi
 LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
0 Helpfuls

M Iftikhar
Mega Sage

8 hours ago

Hi @Amit Rao ,

  1. UI Policy / Client Script (for Catalog Items UI)

    • On onLoad(), check if the logged-in user has one of the required roles (u_manager, u_prg_manager, u_lead).

    • If not, display a message (using g_form.addInfoMessage() or modal) and redirect them away, or abort loading.

    Example Client Script:

    function onLoad() {
    if (!g_user.hasRoleExactly('u_manager') && 
        !g_user.hasRoleExactly('u_prg_manager') && 
        !g_user.hasRoleExactly('u_lead')) {
        
        g_form.addInfoMessage("Access Denied: You are not authorized to view this catalog item.");
        setTimeout(function() {
            window.location = '/sp'; // redirect to service portal homepage
        }, 2000);
    }
}

  1. ACLs (Best Practice for Security)

    • Create a record ACL on the catalog item’s table (sc_cat_item or custom table).

    • Condition: Allow read access only if the user has u_manager, u_prg_manager, or u_lead.

    • All others will automatically get “Access Denied” without any UI scripting.

    • This is the most secure and recommended way because it enforces access control at the server level, not just the client/browser.

    Example ACL Script (Condition):

    answer = gs.hasRole('u_manager') || gs.hasRole('u_prg_manager') || gs.hasRole('u_lead');


Recommendation:

  • Use ACLs to restrict access at the server level (most secure).

  • Optionally, add a Client Script to show a friendly “Access Denied” message and redirect unauthorized users.

Reference:
YouTube – ServiceNow ACLs Tutorial



Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution so others can benefit as well.

0 Helpfuls

Amit Rao
Tera Expert
In response to M Iftikhar

4 hours ago

There is no specific role that needs to be check.
example, below are the record details:
sys id - ccaef61bdb17c344f945f9a41d961998
Application id - 9094

Manager (u_manager) - arun.rao

Program manager(u_prg_manager)- ankit.patil

Lead(u_lead)-sumit.rai
So if the above users will open the catalog item to update anything to this record it should be able to update(expected)

issue : other user(neha.raut) is not part of this record but if someone shares the link of the  catalog item this other user is able to view this item and this record details are populating.
Expectation: it should show error ' Access denied' to other user as this user is not part of the record.







0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron

7 hours ago

@Amit Rao 

your question is not clear.

User is part of which record?

Share some screenshots and share valid business requirement

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls