OK, almost there then.  Something like this should do what you want:

You'll want to add the appropriate Role here as well.  That would be "sn_incident_write" or "itil", depending on your current scenario:

AND you will have to deactivate (do not delete) any "write" rules written on the "incident" table.  That will take away write access to others.  Those rules could be found with this URL added to your instance name:

/now/nav/ui/classic/params/target/sys_security_acl_list.do%3Fsysparm_query%3Dname%253Dincident%255Eoperation%253Dwrite%26sysparm_first_row%3D1%26sysparm_view%3D

Depending on what all is in your instance, some additional tweaking may be required.  Again, be careful what you touch.

@Jim Coyne do I need to deactivate the write acl on the incident table on specific fields as well?
for example if i have a write acl on incident.category, should I deactivate this as well and just stay with general write acl above?

Technically no:  if they cannot write to the record, they cannot write to the fields.  It would keep things cleaner and would make more sense to others looking at security, BUT it would trigger a bunch of skipped record warnings during updates/upgrades.

@Tony Chatfield1 had a good point over in another of your posts: what about new records?  This Access Controls stops new records from being created.  Well, not really, but the user has very few fields they can enter, so basically stopping records from being created.