What minimal roles to give a user so that they can see only records associated to them

Phil J
Tera Contributor

‎01-29-2025 07:27 AM

Hi Team,
I am an admin on one of the ServiceNow Instances and have a user(say u1 for anonymity) who is a junior developer. I want to give them minimal permissions so that when they try to see all the incidents list, only the incidents related to the particular user should be available to them. Also when they try to list the incidents using the REST API with their credentials, they are able to fetch only the exact list they see on the UI.
I used a scripted ACL over incidents table to solve the UI part, but when the user tries to fetch the incidents, if I do not give them the `data_classification_auditor` role. tehy face problem saying user not authenticated to access sys_db_object. If I give them that role, they are able to fetch all the incidents present across system. Could anyone pls help here.

0 Helpfuls
  • 1,028 Views
8 REPLIES 8

Ankur Bawiskar
Tera Patron
Tera Patron

‎01-29-2025 07:31 AM

@Phil J 

incident table already has OOB incident query Query business rule

If logged in user is Caller or Opened by or present in watch list then only those incidents will be seen

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Dr Atul G- LNG
Tera Patron
Tera Patron

‎01-29-2025 07:35 AM

Hi @Phil J 

 

OOTB a user can see his/her incident even without any role. To see another incident you can give incident_read or write role which is minimum.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

Phil J
Tera Contributor

‎01-29-2025 09:38 PM

Hey,
Though on the UI the user can see only their incidents, when we try to fetch it using the REST API, it fetches all the incidents even not related to the user as well. That is the main concern

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Phil J

‎01-29-2025 09:43 PM

@Phil J 

whenever table API is running it will utilize query BR and table level READ ACL and block the records

You cannot remove this OOB behavior

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader