Using a before query business rule to restrict records

Go to solution
tsutherland
Kilo Sage

‎09-14-2021 08:03 AM

I am trying to write before-query business rules on the sc_task and sc_req_item tables to restrict access to a specific catalog item with sensitive data. I have figured out how to only allow an admin or a member of a group to see the records, but I am having trouble figuring out how to allow the person who submitted the request to see it.

This is the script on the sc_task table:

(function executeRule(current, previous /*null when async*/) {
	var u = gs.getUserID();  //get current user
if (!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
		return;
}
})(current, previous);

And this is the script on the sc_req_item table:

(function executeRule(current, previous /*null when async*/) {

	var u = gs.getUserID(); //Get the sys_id value of the current user
   
	if(!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("cat_item!=SYS ID OF CAT ITEM");
   }
}

)(current, previous);

An encoded query was the only way I could figure out how to restrict, since the filter conditions don't work on a before-query, but of course now the submitter cannot see their own requests. 

Is there an ELSE IF statement I should make? I'm new to scripting and having trouble wrapping my head around this one. Thanks for your assistance!

Labels:
0 Helpfuls
  • 5,895 Views
1 ACCEPTED SOLUTION

Go to solution
BALAJI40
Mega Sage
In response to tsutherland

‎09-14-2021 12:20 PM

Hi,

Can you try the below script.

(function executeRule(current, previous /*null when async*/ ) {
    var qu = '';

    if (gs.hasRole('admin') || gs.getUser().isMemberOf('SYS ID OF GROUP')) { // if admin or member of some group then restriction
        return;
    } else { // if not admin or not member of group the remove with short decsription or another query contains same short description and user is part of requested for
        current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    }


})(current, previous);

View solution in original post

12 REPLIES 12

Go to solution
Mike318
Kilo Guru

‎09-14-2021 09:44 AM

Hi @tsutherland ,

 

I believe you can achieve what you are looking for with the below script:

..........................................................................................

(function executeRule(current, previous /*null when async*/) {
 var qu = '';
    
    if (!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { 
    
       qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
    
    } else {
    
        qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^request.requested_for="+gs.getUserID());
 
    
    }
    
    return;
    
  })(current, previous);
 
........................................................................
 
 
You can follow the same logic for the sc_req_item.
 
Please mark my answer as correct if this answers your question.
 
Thanks,
Mike
 

Go to solution
tsutherland
Kilo Sage
In response to Mike318

‎09-14-2021 11:31 AM

Thank you for the response!

It does seem to work for an itil user (as in it hides the restricted item) but it is still not showing for the requester. I edited the script slightly for the requester so it would show them all items where they are the requester (including the restricted one). I'm an admin and I'm not seeing the requests and impersonating a member of the group identified I'm only seeing their requests. I feel like maybe I have the logic all wrong here.

(function executeRule(current, previous /*null when async*/) {
 var qu = '';
    
    if (!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP'))  {
         qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
        } else {
            qu = current.addEncodedQuery("request.requested_for="+gs.getUserID());
        }
    
    return;
    
  })(current, previous);

When I read this script in real language, if I am not an admin AND not a member of the group, don't show me these restricted items, otherwise, show me only my own requests.

What I really want is if I am an admin or if I am a member of the group there's no limit to being able to see these records. If I'm any other platform user (itil, read only role, api) I should not be able to see any of the restricted requests. But, if I put in the request, I need to be able to see my own.

Does that make sense?

0 Helpfuls

Go to solution
BALAJI40
Mega Sage
In response to tsutherland

‎09-14-2021 12:20 PM

Hi,

Can you try the below script.

(function executeRule(current, previous /*null when async*/ ) {
    var qu = '';

    if (gs.hasRole('admin') || gs.getUser().isMemberOf('SYS ID OF GROUP')) { // if admin or member of some group then restriction
        return;
    } else { // if not admin or not member of group the remove with short decsription or another query contains same short description and user is part of requested for
        current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    }


})(current, previous);

Go to solution
tsutherland
Kilo Sage
In response to BALAJI40

‎09-14-2021 12:28 PM

That worked to finally let my end user see their ticket in the portal! The admin can see the records and so can the group member, but unfortunately, so can the itil user. Maybe if I add one more 'else if' statement like I did in my reply below that will work? I'll try it!

0 Helpfuls