- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 01:47 PM
Hello,
I have Service Portal users who have no roles or groups that were once able to view Incident Records for their department. We also have a custom field on their user record that ties different departments to their user record so that they can manage incidents for other departments as well.
After our recent upgrade to Orlando, these users are now only able to view tickets that are assigned to them and not all the other ones open for any of the departments they have access into.
I tried assigning one of these users an 'itil' role, and then I queried for open incidents across all the associated domains and she was able to view the open Incidents--but without the role, the user is just showed the 1 incident that is assigned to her--this is all done in the Service Portal.
Does anyone have any ideas as to why this is happening? Any help is appreciated. Thank you.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 01:53 PM
ACL or query business rule. Likely the "incident query" query business rule might have changed during upgrade since that is what provides filtering for users to only see their incidents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 01:52 PM
Hi,
This sounds like an ACL issue. Please review the ACLs so see if there are "read" ACLs for this table and within those, is there mention of a condition or script that looks at their department(s) as well? This isn't OOB and was something you would have had to make before, perhaps with the upgrade, something didn't get reviewed properly?
Overall, check your "read" ACLs for that table. Ensure that the scenario you mentioned above, where users with other departments can see other tickets, etc. is accounted for.
I'm sure this is happening for standard UI as well and not just portal...it's just where those user access servicenow, right? the portal?
Please mark reply as Helpful/Correct, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 01:53 PM
ACL or query business rule. Likely the "incident query" query business rule might have changed during upgrade since that is what provides filtering for users to only see their incidents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 02:17 PM
Thank you Allen and Michael.
I'll give our ACLs another look.
Allen, I'm not sure about the question at the end, but these specific users dont interact with ServiceNow other than through the Service Portal. I haven't received any word about it affecting standard UI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2020 05:31 PM
Hi,
Yea, my last question was just trying to see if it was affecting more than just the Service Portal. Those users may not interact with the standard-ui, but we don't want to say it's a "Service Portal" problem, right? Like how your question topic is. If it was only a Service Portal problem, then there's some other causes for the issue. However, if it's an ACL or BR (incident query, like Michael mentioned), then indeed, it's a problem across the instance. See what I'm saying?
The "incident query" BR that Michael mentions has changed since previous versions to something like:
restrictIncidents();
function restrictIncidents() {
if (!gs.hasRole("itil") && !gs.hasRole("sn_incident_read") && gs.isInteractive()) {
//Do NOT restrict Incidents if SPM premium plugin is active AND user has the service_viewer role.
if (GlidePluginManager.isActive('com.snc.spm') && gs.hasRole('service_viewer'))
return;
var u = gs.getUserID();
current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);
}
}So, if you reverted to base on this or didn't have one previously, this will layer over top of any ACLs and provide another level of "restriction". So this one is basically saying if the user doesn't have ITIL or the incident read role, then they need to be the caller, opened it, or on the watch list to see it.
If they don't meet one of those three, then yeah, if the ACLs did allow them in, this query will "block" those records after the ACLs would have let them in.
Please mark reply as Helpful/Correct, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
