Hi Chris,

Yes, an onQuery Business Rule sounds like a good fit for this requirement since you want to dynamically filter records from list/query results based on multiple conditions.

What I would recommend is:

• Create an Before Query Business Rule on the Incident table

• Check:

  • if the incident was created by the automation caller

  • if the assignment group is the restricted one

  • if the logged in user is NOT a member of that group

• If all conditions match, exclude the record from the query

Something like this should work as a starting point:

(function executeRule(current, previous /*null when async*/) {

    var restrictedCaller = 'AUTOTOOL_SYS_ID';
    var restrictedGroup = 'GROUP_A_SYS_ID';

    // If user is member of Group A allow access
    if (gs.getUser().isMemberOf(restrictedGroup)) {
        return;
    }

    // Hide automation generated tickets for everyone else
    current.addEncodedQuery(
        'caller_id!=' + restrictedCaller +
        '^ORassignment_group!=' + restrictedGroup
    );

})(current, previous);

A couple notes:

• Replace both SYS_ID values with your actual records

• Using SYS_IDs is safer than names because names can change

• This approach hides the records from lists and most queries

• If you need full security enforcement (API access, direct record access, etc.) you may still want complementary ACLs later

I’ve implemented similar solutions before and the query BR approach is usually much simpler to maintain for this kind of visibility rule.

Hope this helps!
Regards,
Juan

If my reply was Helpful, please mark the answer as correct.