- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
For Issues form, I want 'assigned_to', and 'assignment_group', users to be only able to modify certain fields. How to achieve this using ACL?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
then don't play with ACL
-> use display Business rule on that table and use g_scratchpad
-> then create onLoad client script and make fields readonly/editable
With this what happens -> ACL will allow but your client script will make readonly and you need not handle multiple ACLs
💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
@AjvadK
The existence of field level ACLs on all fields makes this more complicated. In order to achieve your exact use case you will need to modify every field level rule to achieve exactly what your use case implies. How you modify each one is going to depend on the more specific requirement for access to that field. First keep in mind that the table.* rule still needs to provide access so the script logic would need to be added as an OR condition on it as well as modifying the field level ACLs.
If you need the existing write rule to work as it is written but also add any assignee then you can add an OR condition with the scripted logic provided earlier.
If you need the field to be write only for the assignee and no one else then you would need to remove the current associated roles and add the scripted logic.
If you need the field to be read only for everyone then you need to remove the existing business rule so that there is no field level rule for that field.
If there are only specific forms or areas where you need these permissions restricted then there are some more specific approaches for that such as using display rules to override the edit privilege. These are not considered secure as they can often be manipulated on the client side but depending on if these rules are required for security purposes or just user experience you might have an easier time going with ui policies and display rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
create "write" operation ACL on those fields with code:
answer=false;
if(gs.getUser().isMemberOf(current.assignment_group)) // this will alow only assigmnent group member to update the field. Also assigned to is member of assignment group so no extra code required.
answer=true;
This can be done via client side code also but that has limitations like list edit (need different code) and for non interactive sessions client script will not work. So best is to create ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
I apologise if my question wasn't worded correctly. The assignment group/assigned to should only be able edit certain fields. The rest of the fields should be read-only to them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
The previous answers cover how to write the ACL for a specific field is accurate but you need to have the correct hierarchy of ACLs to make this work correctly.
The first ACL will provide record level write permissions. So a table.none that contains a role such as ITIL that contains all of your possible assignees. It can be broader if necessary to achieve this.
The second ACL will be a field level ACL that denies write on all fields. This would be a table.* rule with no roles or users associated with it. After this rule you are allowing everyone in the first ACL to write or edit the record but have now denied their ability to edit each individual field on that record.
Once these two ACLs are in place you then add an advanced write ACL for each specific field that you want the assignee(s) to be able to edit.
if (gs.getUserID() == current.assigned_to || gs.getUser().isMemberOf(current.assignment_group))
answer = true;
else
answer = false;
To summarize what these rules do:
- The first rule grants edit permission to the record, without having edit permission at the record level there can be no edit permission at the field level.
- The second rule makes the default field level permission to edit blocked for all users.
- The field level rules override the default permission of the second rule for each specific field that you add it for.
Without all of these rules configured correctly you won't be able to set it up specifically the way you describe in the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
I am unable to create the second ACL, because it is empty ACL. Popup says, "An empty or invalid Deny Unless ACL will completely deny access to this resource. To properly secure it, select a Role, Security Attribute or configure related records to allow access to it conditionally."
