Restrict the users to access the portal page or catalog item if they are not part of the record

Amit Rao · 10 hours ago

Hi Experts,

Issue - the other users who are not part of the record can still view the page or catalog item associated with it,

they should get an 'Access Denied' error.

When a user tries to open the catalog item and is part of the record then user is able to view the record details which is expected but this user shares this page link to other user who is not part of the record and the other user is able to view the page and catlog item.

Users that should be able to a access the item:
Manager (u_manager)
Program manager(u_prg_manager)
Lead(u_lead)

Amit Rao · 7 hours ago

Catalog item - My application

Step 1 - when My application form is opened and submitted with required details and RITM is created
Step2 - Record gets inserted in custom table u_my_application with application ID - 9094
Step 3 - This record also has field values like

Manager (u_manager) - arun.rao

Program manager(u_prg_manager)- ankit.patil

Lead(u_lead)-sumit.rai

Step 4 - Manager opens the catalog item 'My application ' to update something and updates it which updates the record in custom table u_my_application(expected behaviour)

Step 5 - This item and the record (application ID -9094)can be opened by Manager, program manager, Lead of that record mentioned above.

Issue:
If some other user - neha.raut gets a link and opens the catalog item which loads the details of record(application id -9094), this other user is not part of primary contacts which is Manager, program manager, Lead but still is able to view the catalog item and the record details gets populated to its field.

Requirement: other user - neha.raut as she is not part of that record as primary contacts she should get a 'Access Denied' error while accessing the link.

Ankur Bawiskar · 7 hours ago

@Amit Rao

what's the linkage between the RITM and New record in your custom table?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Amit Rao · 6 hours ago

If the catalog item is opened then using onload client script the values are populated from custom table -u_my_application.
but as the user (neha.raut) is not part of that record the catalog item itseld should not open.

Ankur Bawiskar · 5 hours ago

@Amit Rao

you can use User Criteria and restrict that catalog item.

did you try that approach?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · 5 hours ago

@Amit Rao

if you don't want to use user criteria then you can use onLoad catalog client script + GlideAjax and user is not allowed then throw an alert message and redirect them to portal home.

what did you try and where are you stuck?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader