What minimal roles to give a user so that they can see only records associated to them

Phil J
Tera Contributor

‎01-29-2025 07:27 AM

Hi Team,
I am an admin on one of the ServiceNow Instances and have a user(say u1 for anonymity) who is a junior developer. I want to give them minimal permissions so that when they try to see all the incidents list, only the incidents related to the particular user should be available to them. Also when they try to list the incidents using the REST API with their credentials, they are able to fetch only the exact list they see on the UI.
I used a scripted ACL over incidents table to solve the UI part, but when the user tries to fetch the incidents, if I do not give them the `data_classification_auditor` role. tehy face problem saying user not authenticated to access sys_db_object. If I give them that role, they are able to fetch all the incidents present across system. Could anyone pls help here.

0 Helpfuls
  • 1,252 Views
8 REPLIES 8

Phil J
Tera Contributor
In response to Ankur Bawiskar

‎01-29-2025 09:51 PM

How do I block the table level access for the user lets say with userId u1? Also what did you mean by Query BR?
Let's say I define a new ACL rule over the incidents table to block the access for u1, will it work for REST API?

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Phil J

‎01-30-2025 12:52 AM

@Phil J 

Query business rule is present out of the box on incident table

Table level READ ACLs are evaluated when REST API is consumed for that table

If the ACL allows then that record will be available in API response

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Ravi Chandra_K
Kilo Patron
Kilo Patron

‎01-29-2025 10:03 PM

Hello @Phil J 

In the Table level ACL, you can give condition on Table.none ACL (the condition should be incidents where they are caller etc...)

By this way, they can only get limited incidents using REST API.

 

Please mark the answer as helpful and correct if helped. 

Kind Regards,

Ravi Chandra  

Phil J
Tera Contributor

‎01-30-2025 12:49 AM

Thanks a lot,
Can you provide me a sample ACL script that allows all senior developers to access incidents called by senior and junior developer. The below script gives access to required incidents via rest API, but on UI, i am still able to see only incidents called by the user:

(function() {
    var user = gs.getUser();  // Get the current logged-in user

    // Allow access if the user is the creator of the incident
    if (current.caller_id == user.getID()) {
        return true;
    }

    // var urgency = current.urgency.getDisplayValue().toLowerCase();
      var userTitle = user.title.toString().toLocaleLowerCase();
    // if(userTitle == "senior developer" && urgency == "1 - high") {
    //     return true;
    // }

    if(userTitle == "senior developer"){
        var caller = current.caller_id.toString().toLocaleLowerCase();
        var creatorTitle = new GlideRecord('sys_user'); // Get creator's title
        creatorTitle.get(caller);
        if(creatorTitle.title){
            creatorTitle = creatorTitle.title.toString().toLocaleLowerCase();
        }
        else{
            creatorTitle = "";
        }

        if(creatorTitle == "senior developer" || creatorTitle == "junior developer"){
            return true;
        }
    }

    // Deny access if none of the conditions are met
    return false;
})();



0 Helpfuls