Restrict write access to some fields for 'assigned_to' and 'assignment_group'

AjvadK · 4 weeks ago

For Issues form, I want 'assigned_to', and 'assignment_group', users to be only able to modify certain fields. How to achieve this using ACL?

Ankur Bawiskar · 4 weeks ago

@AjvadK

then don't play with ACL

-> use display Business rule on that table and use g_scratchpad

-> then create onLoad client script and make fields readonly/editable

With this what happens -> ACL will allow but your client script will make readonly and you need not handle multiple ACLs

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

John Gilmore · 4 weeks ago

@AjvadK
The existence of field level ACLs on all fields makes this more complicated. In order to achieve your exact use case you will need to modify every field level rule to achieve exactly what your use case implies. How you modify each one is going to depend on the more specific requirement for access to that field. First keep in mind that the table.* rule still needs to provide access so the script logic would need to be added as an OR condition on it as well as modifying the field level ACLs.

If you need the existing write rule to work as it is written but also add any assignee then you can add an OR condition with the scripted logic provided earlier.

If you need the field to be write only for the assignee and no one else then you would need to remove the current associated roles and add the scripted logic.

If you need the field to be read only for everyone then you need to remove the existing business rule so that there is no field level rule for that field.

If there are only specific forms or areas where you need these permissions restricted then there are some more specific approaches for that such as using display rules to override the edit privilege. These are not considered secure as they can often be manipulated on the client side but depending on if these rules are required for security purposes or just user experience you might have an easier time going with ui policies and display rules.

View solution in original post

John Gilmore · 4 weeks ago

@AjvadK

My apologies there is a security property that allows that and if your instance does not then I would not worry about changing it.

The same configuration of ACLs should still work, just set the table.* ACL to use the same condition as the field level ACLs or the same user role as the record level write ACL. Once you put a single field level ACL in place the rest should default to read-only unless a field specific ACL exists.

AjvadK · 4 weeks ago

I tried but it is not working. What about already existing field level ACLs, that grand write access to sn_grc_business_user, and sn_grc_business_user_lite roles. Since the assigned_to already have this role, will this affect the new ACLs?

AjvadK · 4 weeks ago

Currently, there is a Table level ACL that grands access only if the user is assigned to it. And field level ACLs for all fields, that grands write access if user has sn_grc_business_user, or sn_grc_business_user_lite

AjvadK · 4 weeks ago

Should I add

if (gs.getUserID() == current.assigned_to || gs.getUser().isMemberOf(current.assignment_group))

condition to the field level ACLs of fields that should be editable. But these are medium-risk files, so is that recommended?

Ankur Bawiskar · 4 weeks ago

@AjvadK

seems you missed my yesterday's response which already had a working solution to it

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader