Restricting other group members to see a particular group SCTASKs even they can have itil role

sattar3
Tera Contributor

‎06-06-2024 10:26 AM

Hello All,

 

How to restrict SCTASKs of groupA to other group members.

If a SCTASK is assigned to groupA, then only groupA members only can able to see that SCTASK, no other group members can't able to see groupA SCTASKs.

if they are having 'itil' role also we need to restrict to see groupA SCTASKs, except the sctasks created by them.

 

Can someone please suggest how we can achieve this by using ACLs, we are using Washington DC version.

I create a read ACL on sc_task table but its is not working, please check the below screenshot.

sattar3_0-1717693944299.png

Correct me if i did anything wrong.

 

We created Before Query BR, it works perfectly but we need to achieve this by using ACL.

BR Condition: !gs.hasRole('admin') && gs.isInteractive(true)

Before Query BR script.

(function executeRule(current, previous /*null when async*/) {
    var _appEngineAdminGr = gs.getProperty('app.engine.admin');//glide property of app engine admin group
    if(!gs.getUser().isMemberOf(_appEngineAdminGr)){
  current.addEncodedQuery('opened_byDYNAMIC90d1921e5f510100a9ad2572f2b477fe^ORassignment_groupISEMPTY^ORassignment_group!='+_appEngineAdminGr);
    }
})(current, previous);

 

@Dr Atul G- LNG @Ankur Bawiskar @Mohammed Ali  @Mark Roethof @Community Alums @Sandeep Rajput @Amit Gujarathi @Ravi Gaurav @SANDEEP28 @Aman Kumar S 

 

Thanks,

Sattar

0 Helpfuls
  • 341 Views
1 REPLY 1

Kris Moncada
Tera Guru

‎06-06-2024 08:33 PM - edited ‎06-06-2024 08:54 PM

 

 

 

 

 

answer = gs.getUser().isMemberOf(current.getDisplayValue('assignment_group'));

 

 

 

 

 

Depending on how complex your read ACLs are, you'll need to address every "read" ACL that is giving access to that Catalog task, and adding the above script into your Script condition. 

 

ACL work is pretty daunting at times, so my steps below hopefully will narrow down which ACLs need to be address.  I personally, would only try the following on your PDI. Then when you got something to work, then transfer your work to Dev environment. 

 

 

  1. While keeping an "admin" session open, start an "incognito/private" session and login as an admin, then enable Debug Security Rules.
  2. In the "incognito" session, impersonate an known itil role user and open a catalog task, of which the user is not a member of the Assignment Group of that catalog task.
  3. Scroll down and see which table rules of the read type are allowing access to this record. User the browser search and look for "PATH = record/sc_task/read​"
    KrisMoncada_0-1717730242864.png
  4. Right-click and copy the url read ACL that has a green check mark. Then open that url in the "admin" session.
  5. Hard code in the Script Condition, the "answer = false;" , then refresh the incognito session.
  6. Refresh the Private session. Does the user have access to the record? If yes, return to 3.
  7. Once the user cannot view the record, go the the "admin" session and add the following line of code. Replacing the answer = false; code in all of the ACLs you have opened.

 

 

answer = gs.getUser().isMemberOf(current.getDisplayValue('assignment_group'));​

 

 

 

 

 

Hope this helps. I've included the ACL records for reference.

 

 

0 Helpfuls