Restricting Assignment Group Updates on Incident Form Based on User Group Membership

Abdul333
Tera Contributor

Hello All,

 

I’m looking to implement a restriction on the Incident form so that only users who belong to the below listed 7 groups can update the Assignment Group field changing to "L2 Support" or "L3 Support" groups:

  • App Engine

  • Business Analyst

  • Corporation

  • Development

  • Engineering Assistant

  • Flow Developers

  • Go-live L3

I would like to know the simplest and most effective way to achieve this in ServiceNow.

I initially attempted this using a before update Business Rule, but it didn’t work as expected.

Could you please advise the best approach to enforce this restriction (preferably without using ACLs-we don't have authorize to create ACL)?

 

Thanks in advance!

Abdul

1 ACCEPTED SOLUTION

pavani_paluri
Giga Guru

Hi @Abdul333 ,

 

To restrict updates to the Assignment Group field only when it's being changed to "L2 Support" or "L3 Support", and only allow members of specific groups to make that change — without using ACLs — the simplest and most effective approach is to use a Before Business Rule with proper checks.

(function executeRule(current, previous /*null when async*/) {

// Only act if Assignment Group is being changed to "L2 Support" or "L3 Support"
var restrictedGroups = ['L2 Support', 'L3 Support'];

var targetGroup = current.assignment_group.getDisplayValue();

if (restrictedGroups.indexOf(targetGroup) !== -1) {

// List of allowed group names
var allowedGroups = [
'App Engine',
'Business Analyst',
'Corporation',
'Development',
'Engineering Assistant',
'Flow Developers',
'Go-live L3'
];

// Check if current user is a member of any of the allowed groups
var userIsAllowed = false;

var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.query();
while (gr.next()) {
var groupName = gr.getDisplayValue('group');
if (allowedGroups.indexOf(groupName) !== -1) {
userIsAllowed = true;
break;
}
}

// Block the update if not allowed
if (!userIsAllowed) {
gs.addErrorMessage("You are not authorized to assign this incident to '" + targetGroup + "'.");
current.assignment_group = previous.assignment_group; // Revert
gs.log("Unauthorized assignment group change attempted by user: " + gs.getUserName());
}
}

})(current, previous);


This script checks if the new assignment group is “L2 Support” or “L3 Support”. Then it checks if the current user belongs to any of the 7 allowed groups.If not, it reverts the change, shows an error message, and logs the attempt.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

View solution in original post

2 REPLIES 2

pavani_paluri
Giga Guru

Hi @Abdul333 ,

 

To restrict updates to the Assignment Group field only when it's being changed to "L2 Support" or "L3 Support", and only allow members of specific groups to make that change — without using ACLs — the simplest and most effective approach is to use a Before Business Rule with proper checks.

(function executeRule(current, previous /*null when async*/) {

// Only act if Assignment Group is being changed to "L2 Support" or "L3 Support"
var restrictedGroups = ['L2 Support', 'L3 Support'];

var targetGroup = current.assignment_group.getDisplayValue();

if (restrictedGroups.indexOf(targetGroup) !== -1) {

// List of allowed group names
var allowedGroups = [
'App Engine',
'Business Analyst',
'Corporation',
'Development',
'Engineering Assistant',
'Flow Developers',
'Go-live L3'
];

// Check if current user is a member of any of the allowed groups
var userIsAllowed = false;

var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.query();
while (gr.next()) {
var groupName = gr.getDisplayValue('group');
if (allowedGroups.indexOf(groupName) !== -1) {
userIsAllowed = true;
break;
}
}

// Block the update if not allowed
if (!userIsAllowed) {
gs.addErrorMessage("You are not authorized to assign this incident to '" + targetGroup + "'.");
current.assignment_group = previous.assignment_group; // Revert
gs.log("Unauthorized assignment group change attempted by user: " + gs.getUserName());
}
}

})(current, previous);


This script checks if the new assignment group is “L2 Support” or “L3 Support”. Then it checks if the current user belongs to any of the 7 allowed groups.If not, it reverts the change, shows an error message, and logs the attempt.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

Thanks@pavani_paluri, It works.