Using a before query business rule to restrict records

Go to solution
tsutherland
Kilo Sage

‎09-14-2021 08:03 AM

I am trying to write before-query business rules on the sc_task and sc_req_item tables to restrict access to a specific catalog item with sensitive data. I have figured out how to only allow an admin or a member of a group to see the records, but I am having trouble figuring out how to allow the person who submitted the request to see it.

This is the script on the sc_task table:

(function executeRule(current, previous /*null when async*/) {
	var u = gs.getUserID();  //get current user
if (!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
		return;
}
})(current, previous);

And this is the script on the sc_req_item table:

(function executeRule(current, previous /*null when async*/) {

	var u = gs.getUserID(); //Get the sys_id value of the current user
   
	if(!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("cat_item!=SYS ID OF CAT ITEM");
   }
}

)(current, previous);

An encoded query was the only way I could figure out how to restrict, since the filter conditions don't work on a before-query, but of course now the submitter cannot see their own requests. 

Is there an ELSE IF statement I should make? I'm new to scripting and having trouble wrapping my head around this one. Thanks for your assistance!

Labels:
0 Helpfuls
  • 5,897 Views
1 ACCEPTED SOLUTION

Go to solution
BALAJI40
Mega Sage
In response to tsutherland

‎09-14-2021 12:20 PM

Hi,

Can you try the below script.

(function executeRule(current, previous /*null when async*/ ) {
    var qu = '';

    if (gs.hasRole('admin') || gs.getUser().isMemberOf('SYS ID OF GROUP')) { // if admin or member of some group then restriction
        return;
    } else { // if not admin or not member of group the remove with short decsription or another query contains same short description and user is part of requested for
        current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    }


})(current, previous);

View solution in original post

12 REPLIES 12

Go to solution
BALAJI40
Mega Sage
In response to tsutherland

‎09-14-2021 12:32 PM

Thanks for the update.

Please let me know if you need any more further assistance?

0 Helpfuls

Go to solution
tsutherland
Kilo Sage
In response to BALAJI40

‎09-14-2021 01:01 PM

Here's my new script, and this one works! Thank you for all your help!

(function executeRule(current, previous /*null when async*/) {
	var qu = '';
   
	if(gs.getUser().hasRole("admin") || gs.getUser().isMemberOf('group sys id')) { //the user is not IT Security or an admin
		qu = current.addEncodedQuery("");
	} 
	else if (gs.getUser().hasRole("itil") && !gs.getUser().isMemberOf('group sys id')) {
		qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
	}
	else if (!gs.getUser().hasRole("snc_external")) {
        qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    
    }
    return;
 
})(current, previous);

Go to solution
BALAJI40
Mega Sage
In response to tsutherland

‎09-14-2021 02:36 PM

Great, glad that your issue got resolved.

Can you mark my response as correct if my response is helpful so that it will be removed from the unanswered list.

0 Helpfuls

Go to solution
bekfro
Kilo Sage
In response to BALAJI40

‎09-20-2023 11:18 AM

Thank you!  This is exactly what I needed!

0 Helpfuls

Go to solution
tsutherland
Kilo Sage

‎09-14-2021 12:26 PM

I'm making some progress... for the business rule on the sc_task table I stopped worrying about the person who requested it because an end user can't see those records in the portal anyway and access to the catalog item is already restricted to a group. So this script works for restricting access to those records and still allowing it for the group member and admin:

(function executeRule(current, previous /*null when async*/) {
 var qu = '';
    if (gs.getUser().hasRole("admin")) {
		qu= current.addEncodedQuery("");
	}
	else if (gs.getUser().isMemberOf('sys id of group')) {
            qu = current.addEncodedQuery("");
        }
    else  if (gs.getUser().hasRole("itil") && !gs.getUser().isMemberOf('sys id of group'))  {
         qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
        } 
return;
   
  })(current, previous);

Is that code garbage aka not best practice?

0 Helpfuls