Restrict write access to some fields for 'assigned_to' and 'assignment_group'

Go to solution
AjvadK
Tera Contributor

4 weeks ago

For Issues form, I want 'assigned_to', and 'assignment_group', users to be only able to modify certain fields. How to achieve this using ACL? 

0 Helpfuls
  • 1,352 Views
2 ACCEPTED SOLUTIONS

Go to solution
Ankur Bawiskar
Tera Patron
In response to AjvadK

4 weeks ago

@AjvadK 

then don't play with ACL

-> use display Business rule on that table and use g_scratchpad

-> then create onLoad client script and make fields readonly/editable

With this what happens -> ACL will allow but your client script will make readonly and you need not handle multiple ACLs

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

0 Helpfuls

Go to solution
John Gilmore
Tera Guru
In response to AjvadK

4 weeks ago - last edited 4 weeks ago

@AjvadK 
The existence of field level ACLs on all fields makes this more complicated. In order to achieve your exact use case you will need to modify every field level rule to achieve exactly what your use case implies. How you modify each one is going to depend on the more specific requirement for access to that field. First keep in mind that the table.* rule still needs to provide access so the script logic would need to be added as an OR condition on it as well as modifying the field level ACLs.

 

If you need the existing write rule to work as it is written but also add any assignee then you can add an OR condition with the scripted logic provided earlier.

If you need the field to be write only for the assignee and no one else then you would need to remove the current associated roles and add the scripted logic.

 

If you need the field to be read only for everyone then you need to remove the existing business rule so that there is no field level rule for that field.

 

If there are only specific forms or areas where you need these permissions restricted then there are some more specific approaches for that such as using display rules to override the edit privilege. These are not considered secure as they can often be manipulated on the client side but depending on if these rules are required for security purposes or just user experience you might have an easier time going with ui policies and display rules.

View solution in original post

0 Helpfuls
18 REPLIES 18

Go to solution
John Gilmore
Tera Guru
In response to AjvadK

4 weeks ago - last edited 4 weeks ago

@AjvadK 
The existence of field level ACLs on all fields makes this more complicated. In order to achieve your exact use case you will need to modify every field level rule to achieve exactly what your use case implies. How you modify each one is going to depend on the more specific requirement for access to that field. First keep in mind that the table.* rule still needs to provide access so the script logic would need to be added as an OR condition on it as well as modifying the field level ACLs.

 

If you need the existing write rule to work as it is written but also add any assignee then you can add an OR condition with the scripted logic provided earlier.

If you need the field to be write only for the assignee and no one else then you would need to remove the current associated roles and add the scripted logic.

 

If you need the field to be read only for everyone then you need to remove the existing business rule so that there is no field level rule for that field.

 

If there are only specific forms or areas where you need these permissions restricted then there are some more specific approaches for that such as using display rules to override the edit privilege. These are not considered secure as they can often be manipulated on the client side but depending on if these rules are required for security purposes or just user experience you might have an easier time going with ui policies and display rules.

0 Helpfuls

Go to solution
RaghavSh
Mega Patron
In response to AjvadK

4 weeks ago

@AjvadK so this should work. if assigned to is condition is not required you can add:

 

answer=false;
if(gs.getUser().isMemberOf(current.assignment_group) || gs.getUserID() == current.assigned_to) 
answer=true;

Raghav
MVP 2023
LinkedIn
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron

4 weeks ago

@AjvadK 

you can create those many field level WRITE ACLs with advanced script for each field

something like this

if (gs.getUserID() == current.assigned_to || gs.getUser().isMemberOf(current.assignment_group))
    answer = true;
else
    answer = false;

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
In response to Ankur Bawiskar

4 weeks ago

@AjvadK 

I believe you want either assigned to or members of assignment group to edit certain fields

for that I shared field level WRITE ACL.

Did that work for you?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
AjvadK
Tera Contributor
In response to Ankur Bawiskar

4 weeks ago

i also want to restrict write access for the rest of the fields

0 Helpfuls