Using a before query business rule to restrict records

tsutherland · ‎09-14-2021

I am trying to write before-query business rules on the sc_task and sc_req_item tables to restrict access to a specific catalog item with sensitive data. I have figured out how to only allow an admin or a member of a group to see the records, but I am having trouble figuring out how to allow the person who submitted the request to see it.

This is the script on the sc_task table:

(function executeRule(current, previous /*null when async*/) {
	var u = gs.getUserID();  //get current user
if (!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
		return;
}
})(current, previous);

And this is the script on the sc_req_item table:

(function executeRule(current, previous /*null when async*/) {

	var u = gs.getUserID(); //Get the sys_id value of the current user
   
	if(!gs.getUser().hasRole("admin") && !gs.getUser().isMemberOf('SYS ID OF GROUP')) { //the user is not IT Security or an admin
	var qu = current.addEncodedQuery("cat_item!=SYS ID OF CAT ITEM");
   }
}

)(current, previous);

An encoded query was the only way I could figure out how to restrict, since the filter conditions don't work on a before-query, but of course now the submitter cannot see their own requests.

Is there an ELSE IF statement I should make? I'm new to scripting and having trouble wrapping my head around this one. Thanks for your assistance!

BALAJI40 · ‎09-14-2021

Hi,

Can you try the below script.

(function executeRule(current, previous /*null when async*/ ) {
    var qu = '';

    if (gs.hasRole('admin') || gs.getUser().isMemberOf('SYS ID OF GROUP')) { // if admin or member of some group then restriction
        return;
    } else { // if not admin or not member of group the remove with short decsription or another query contains same short description and user is part of requested for
        current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    }


})(current, previous);

View solution in original post

psyherin · ‎02-07-2022

Hi @tsutherland ,

I am trying to build the same logic but i am having difficulty understanding how many business rules did you create?

There are 3 business rules (sc_req, sc_req_item, sc_task) with the same script ?

(function executeRule(current, previous /*null when async*/) {
	var qu = '';
   
	if(gs.getUser().hasRole("admin") || gs.getUser().isMemberOf('group sys id')) { //the user is not IT Security or an admin
		qu = current.addEncodedQuery("");
	} 
	else if (gs.getUser().hasRole("itil") && !gs.getUser().isMemberOf('group sys id')) {
		qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
	}
	else if (!gs.getUser().hasRole("snc_external")) {
        qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review^NQshort_descriptionLIKEData Access Review^request.requested_for=" + gs.getUserID());
    
    }
    return;
 
})(current, previous);

Let me know

Thanks

tsutherland · ‎02-08-2022

Hi @Herin

I did two business rules with similar scripts, as noted below. I didn't do one on the sc_request table because what I was trying to hide were the variables shown in the RITM and SCTASK.

On the sc_req_item, my script is like what is above in your response.

On the sc_task table, this is the script I used:

(function executeRule(current, previous /*null when async*/) {
 var qu = '';
    if (gs.getUser().hasRole("admin")) {
		qu= current.addEncodedQuery("");
	}
	else if (gs.getUser().isMemberOf('SYSID of Group')) {
            qu = current.addEncodedQuery("");
        }
    else  if (gs.getUser().hasRole("itil") && !gs.getUser().isMemberOf('SYSID of Group'))  {
         qu = current.addEncodedQuery("short_descriptionNOT LIKEData Access Review");
        } 
return;
   
  })(current, previous);

I hope that helps!

psyherin · ‎02-09-2022

Thank you it really helped.