Restrict write access to some fields for 'assigned_to' and 'assignment_group'

AjvadK · 4 weeks ago

For Issues form, I want 'assigned_to', and 'assignment_group', users to be only able to modify certain fields. How to achieve this using ACL?

Ankur Bawiskar · 4 weeks ago

@AjvadK

then don't play with ACL

-> use display Business rule on that table and use g_scratchpad

-> then create onLoad client script and make fields readonly/editable

With this what happens -> ACL will allow but your client script will make readonly and you need not handle multiple ACLs

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

John Gilmore · 4 weeks ago

@AjvadK
The existence of field level ACLs on all fields makes this more complicated. In order to achieve your exact use case you will need to modify every field level rule to achieve exactly what your use case implies. How you modify each one is going to depend on the more specific requirement for access to that field. First keep in mind that the table.* rule still needs to provide access so the script logic would need to be added as an OR condition on it as well as modifying the field level ACLs.

If you need the existing write rule to work as it is written but also add any assignee then you can add an OR condition with the scripted logic provided earlier.

If you need the field to be write only for the assignee and no one else then you would need to remove the current associated roles and add the scripted logic.

If you need the field to be read only for everyone then you need to remove the existing business rule so that there is no field level rule for that field.

If there are only specific forms or areas where you need these permissions restricted then there are some more specific approaches for that such as using display rules to override the edit privilege. These are not considered secure as they can often be manipulated on the client side but depending on if these rules are required for security purposes or just user experience you might have an easier time going with ui policies and display rules.

View solution in original post

AjvadK · 4 weeks ago

they already have write access to all fields, i want to restrict write access to only some of them, meaning deny write access to rest of the fields.

Ankur Bawiskar · 4 weeks ago

@AjvadK

what do you mean by rest of the fields?

are you saying complete record should be read-only or only some fields?

If only some fields then approach I already shared -> create field level WRITE ACLs for those fields

If entire record then you will require Table.* WRITE ACL with same script I shared

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

AjvadK · 4 weeks ago

Already, the assigned_to, can edit all the fields, because of the existing OOB ACLs. There is a OOB table.None ACL, and field specific ACL for all fields. Now I want the assigned to to be only able to edit state, and recommendation fields. All other fields should be non-editable. Hope that makes my question clear. Apologies for the confusion.

Ankur Bawiskar · 4 weeks ago

@AjvadK

then don't play with ACL

-> use display Business rule on that table and use g_scratchpad

-> then create onLoad client script and make fields readonly/editable

With this what happens -> ACL will allow but your client script will make readonly and you need not handle multiple ACLs

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader