show/hide the incidents across platform based on conditions

Yash38 · ‎02-12-2024

current set up on incident form:

on incident form we have created a checkbox called Vulnerability and if we check this box another field displayed called watchlist which is of list type referencing to user group table and we can select one or more groups in this field.

Now the requirement is we want to restrict incidents to be seen and edited based on 3 conditions as below:

1. user is member of group called INC security

2. user is member of assignment group of that incident

3. user is member of any of the groups selected in watchlist field

is logged in user satisfies any of above 3 condition to the incidents where vulnerability checkbox is selected then they should be able see and edit such incidents other wise these incidents needs to be hidden from them across the format such as incident table or global search.

what would be the best approach to achieve this and how?

Thanks in advance.

Danish Bhairag2 · ‎02-12-2024

Hi @Yash38 ,

U can try by creating a READ ACL on incident table with condition as vulnerability as true & under script u can write like something below

var isMember = current.watchlist_variable;
var memberOfGroup = '';
for (var i=0;i<isMember.length;i++){
memberOfGroup = gs.getUser().isMemberOf(isMember[i]);
}

if((gs.getUser().isMemberOf('INC security')) || (gs.getUser().isMemberOf(current.assignment_group) || (memberOfGroup = 'true')){
answer = true
}

Thanks,

Danish

View solution in original post

Yash38 · ‎02-21-2024

Below is the script which worked in this case:

var user = gs.getUser();
var userIsInWatchlist = false;
answer = false;
var watchlistArray = current.u_vulnerability_watchlist.toString().split(',');
var assignmentGroup = String(current.assignment_group);

for (var i = 0; i < watchlistArray.length; i++) {
if (user.isMemberOf(watchlistArray[i].trim())) {
userIsInWatchlist = true;
break;
}
}

if ((user.isMemberOf('it_security_team')) || (user.isMemberOf(assignmentGroup)) || (userIsInWatchlist)) {
answer = true;
}

View solution in original post

Mark Manders · ‎02-12-2024

You could use a query business rule. That ensures your users won't get the 'security rules constraint...' message.

It would be something like this (please validate all fields, names, etc.)

(function restrictIncidentVisibility() {
    // Only apply restrictions if the 'Vulnerability' checkbox is checked
    if (current.u_vulnerability.nil() || !current.u_vulnerability) {
        return;
    }

    var userSysId = gs.getUserID();
    var userGroups = getUserGroups(userSysId);

    if (userGroups.includes('INC security')) {
        return; 
    }

    if (userGroups.includes(current.assignment_group.getDisplayValue())) {
        return;
    }

    var watchlistGroups = current.watch_list.toString().split(';');
    for (var i = 0; i < watchlistGroups.length; i++) {
        if (userGroups.includes(watchlistGroups[i])) {
            return;
        }
    }

    current.setAbortAction(true);
})();

// Helper function to get all groups the user is a member of
function getUserGroups(userSysId) {
    var groups = [];
    var grMember = new GlideRecord('sys_user_grmember');
    grMember.addQuery('user', userSysId);
    grMember.query();

    while (grMember.next()) {
        groups.push(grMember.group.getDisplayValue());
    }
    return groups;
}

You could also try it with scripted ACL's, but that will show the error message when in a list

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Danish Bhairag2 · ‎02-12-2024

Hi @Yash38 ,

U can try by creating a READ ACL on incident table with condition as vulnerability as true & under script u can write like something below

var isMember = current.watchlist_variable;
var memberOfGroup = '';
for (var i=0;i<isMember.length;i++){
memberOfGroup = gs.getUser().isMemberOf(isMember[i]);
}

if((gs.getUser().isMemberOf('INC security')) || (gs.getUser().isMemberOf(current.assignment_group) || (memberOfGroup = 'true')){
answer = true
}

Thanks,

Danish

Yash38 · ‎02-21-2024

Below is the script which worked in this case:

var user = gs.getUser();
var userIsInWatchlist = false;
answer = false;
var watchlistArray = current.u_vulnerability_watchlist.toString().split(',');
var assignmentGroup = String(current.assignment_group);

for (var i = 0; i < watchlistArray.length; i++) {
if (user.isMemberOf(watchlistArray[i].trim())) {
userIsInWatchlist = true;
break;
}
}

if ((user.isMemberOf('it_security_team')) || (user.isMemberOf(assignmentGroup)) || (userIsInWatchlist)) {
answer = true;
}

Rajdeep Ganguly · ‎02-12-2024

To achieve this, you can use Access Control List (ACL) rules in ServiceNow. ACLs are used to control what data users can access and how they can access it. Here are the steps to implement this:

1. Navigate to System Security > Access Control (ACL).
2. Click New to create a new ACL rule.
3. In the Type field, select Record.
4. In the Name field, enter the table name (incident).
5. In the Operation field, select Read (to control visibility) and Write (to control editability).
6. In the Requires Role field, leave it blank.
7. In the Script field, write a script to check the conditions. Here is a sample script:

javascript
(function executeRule(current, previous /*null when async*/) {
var user = gs.getUser();
var userId = user.getID();
var userGroups = user.getMyGroups();
var incSecGroup = 'sys_id_of_INC_security_group';
var assignmentGroup = current.assignment_group;
var watchlistGroups = current.watchlist.toString().split(',');

// Check if user is a member of INC security group
if (userGroups.indexOf(incSecGroup) !== -1) {
return true;
}

// Check if user is a member of the assignment group of the incident
if (userGroups.indexOf(assignmentGroup) !== -1) {
return true;
}

// Check if user is a member of any of the groups in the watchlist
for (var i = 0; i < watchlistGroups.length; i++) {
if (userGroups.indexOf(watchlistGroups[i]) !== -1) {
return true;
}
}

// If none of the conditions are met, restrict access
return false;
})(current, previous);

8. Click Submit to save the ACL rule.

This ACL rule will check if the logged-in user satisfies any of the three conditions. If they do, they will be able to see and edit the incidents where the Vulnerability checkbox is selected. Otherwise, these incidents will be hidden from them.

Please replace 'sys_id_of_INC_security_group' with the actual sys_id of the INC security group. Also, make sure that the watchlist field stores the sys_ids of the groups, not their names. If it stores the names, you will need to modify the script to work with names instead of sys_ids.

nowKB.com

For asking ServiceNow-related questions try this :
For a better and more optimistic result, please visit this website. It uses a Chat Generative Pre-Trained Transformer ( GPT ) technology for solving ServiceNow-related issues.
Link - https://nowgpt.ai/

For the ServiceNow Certified System Administrator exams try this :
https://www.udemy.com/course/servicenow-csa-admin-certification-exam-2023/?couponCode=NOW-DEVELOPER