Restricting access to RITM per user

ThiAnhN
Giga Contributor

3 weeks ago

Hi everyone,

I’m currently working on a ServiceNow implementation and ran into an access control issue related to RITM visibility. I’d really appreciate your advice.

Use case:

  • We create 1 Request that generates multiple RITMs

  • Each RITM is assigned to a specific user (all users have business_stakeholder role)

Problem:
It seems like all users with the business_stakeholder role are able to

  • View and comment to RITMs assigned to others

However, the requirement is:
👉 A user should only be able to see RITMs where they are:

  • assigned_to/requested_for/opened_by (also admin/itil)

What I tried:

  • Created a custom ACL on sc_req_item (read) with logic restricting access to the above users but it doesn’t work as expected.

Question:

What is the recommended way to restrict RITM visibility per user? 

 

Thank you for your help!

0 Helpfuls
  • 629 Views
3 REPLIES 3

Laveena-Agarwal
Mega Sage

3 weeks ago

Hi @ThiAnhN 

ACLs in ServiceNow work in an OR condition, meaning if multiple ACLs exist for the same operation, access is granted as soon as one ACL evaluates to true. The system does not evaluate further ACLs unless a “Deny Unless” ACL is defined.

 

I can think of two possible approaches:

 

1. Identify the OOB ACL responsible for this behavior and either modify it (with caution) or create a similar custom ACL (with Deny Unless) specific to this requirement.

2. Implement a Query Business Rule to control data access for this particular use case.

0 Helpfuls

Ankur Bawiskar
Tera Patron

3 weeks ago

@ThiAnhN 

you can keep the OOTB Table level ACL and Create Query BR on sc_req_item table

Something like this

Condition: gs.getSession().isInteractive()

Script:

(function executeRule(current, previous /*null when async*/ ) {

    if (gs.hasRole('admin') || gs.hasRole('itil')) {
        return; // Admins and ITIL see all records
    }

    var userID = gs.getUserID();
    var qc = current.addQuery('assigned_to', userID)
        .addOrCondition('requested_for', userID)
        .addOrCondition('opened_by', userID);

})(current, previous);

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Ankur Bawiskar
Tera Patron
In response to Ankur Bawiskar

3 weeks ago

@ThiAnhN 

Hope you are doing good.

Did my reply answer your question?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls