- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 10:37 AM
Hello All,
I’m looking to implement a restriction on the Incident form so that only users who belong to the below listed 7 groups can update the Assignment Group field changing to "L2 Support" or "L3 Support" groups:
App Engine
Business Analyst
Corporation
Development
Engineering Assistant
Flow Developers
Go-live L3
I would like to know the simplest and most effective way to achieve this in ServiceNow.
I initially attempted this using a before update Business Rule, but it didn’t work as expected.
Could you please advise the best approach to enforce this restriction (preferably without using ACLs-we don't have authorize to create ACL)?
Thanks in advance!
Abdul
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 11:08 AM
Hi @Abdul333 ,
To restrict updates to the Assignment Group field only when it's being changed to "L2 Support" or "L3 Support", and only allow members of specific groups to make that change — without using ACLs — the simplest and most effective approach is to use a Before Business Rule with proper checks.
(function executeRule(current, previous /*null when async*/) {
// Only act if Assignment Group is being changed to "L2 Support" or "L3 Support"
var restrictedGroups = ['L2 Support', 'L3 Support'];
var targetGroup = current.assignment_group.getDisplayValue();
if (restrictedGroups.indexOf(targetGroup) !== -1) {
// List of allowed group names
var allowedGroups = [
'App Engine',
'Business Analyst',
'Corporation',
'Development',
'Engineering Assistant',
'Flow Developers',
'Go-live L3'
];
// Check if current user is a member of any of the allowed groups
var userIsAllowed = false;
var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.query();
while (gr.next()) {
var groupName = gr.getDisplayValue('group');
if (allowedGroups.indexOf(groupName) !== -1) {
userIsAllowed = true;
break;
}
}
// Block the update if not allowed
if (!userIsAllowed) {
gs.addErrorMessage("You are not authorized to assign this incident to '" + targetGroup + "'.");
current.assignment_group = previous.assignment_group; // Revert
gs.log("Unauthorized assignment group change attempted by user: " + gs.getUserName());
}
}
})(current, previous);
This script checks if the new assignment group is “L2 Support” or “L3 Support”. Then it checks if the current user belongs to any of the 7 allowed groups.If not, it reverts the change, shows an error message, and logs the attempt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 11:08 AM
Hi @Abdul333 ,
To restrict updates to the Assignment Group field only when it's being changed to "L2 Support" or "L3 Support", and only allow members of specific groups to make that change — without using ACLs — the simplest and most effective approach is to use a Before Business Rule with proper checks.
(function executeRule(current, previous /*null when async*/) {
// Only act if Assignment Group is being changed to "L2 Support" or "L3 Support"
var restrictedGroups = ['L2 Support', 'L3 Support'];
var targetGroup = current.assignment_group.getDisplayValue();
if (restrictedGroups.indexOf(targetGroup) !== -1) {
// List of allowed group names
var allowedGroups = [
'App Engine',
'Business Analyst',
'Corporation',
'Development',
'Engineering Assistant',
'Flow Developers',
'Go-live L3'
];
// Check if current user is a member of any of the allowed groups
var userIsAllowed = false;
var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.query();
while (gr.next()) {
var groupName = gr.getDisplayValue('group');
if (allowedGroups.indexOf(groupName) !== -1) {
userIsAllowed = true;
break;
}
}
// Block the update if not allowed
if (!userIsAllowed) {
gs.addErrorMessage("You are not authorized to assign this incident to '" + targetGroup + "'.");
current.assignment_group = previous.assignment_group; // Revert
gs.log("Unauthorized assignment group change attempted by user: " + gs.getUserName());
}
}
})(current, previous);
This script checks if the new assignment group is “L2 Support” or “L3 Support”. Then it checks if the current user belongs to any of the 7 allowed groups.If not, it reverts the change, shows an error message, and logs the attempt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 07:09 PM
Thanks@pavani_paluri, It works.