ACL - Allow write to Incident if member of the assignment group (and not parent assignment group)

Go to solution
David Harris1
Tera Contributor

2 weeks ago

I have setup and ACL which allows write to any incidents for members of the assignment group it is assigned to.

They have read access to all other incidents.

The only problem is that they also have write access to incidents assigned to the parent assignment group of the one they are assigned to.

How do I modify it to allow 'Only' to incidents assigned to the group they are in?

 

ACL - Incident.png

 

0 Helpfuls
  • 611 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to David Harris1

2 weeks ago

@David Harris1 

then use GlideRecord on sys_user_grmember and check direct membership

var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.addQuery('group', current.assignment_group.toString());
gr.query();
var isMember = gr.hasNext();

answer = current.caller_id == gs.getUserID() || current.caller_id == '' || isMember;

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

View solution in original post

7 REPLIES 7

Go to solution
Rafael Batistot
Tera Sage

2 weeks ago

Hi @David Harris1 

 

This happens because ServiceNow’s Group field (assignment_group) is a reference to sys_user_group, and by default ACL conditions or scripts that use gr.isMemberOf() will also return true if the user is a member of a child group when the parent group is checked.

 

You want to scope it down so that only the exact group (not parent/child) grants write access.

 

Instead of using gr.isMemberOf() directly (which checks parent groups too), you need to compare the user’s exact group memberships against the record’s assignment group.

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

2 weeks ago - last edited 2 weeks ago

@David Harris1 

The issue is you are using ONE OF MY GROUPS

When you use this it brings not only the group to which you belong but also the parent of the group to which you belong.

So Remove everything from Condition and use Advanced script

answer = current.caller_id == gs.getUserID() || current.caller_id == '' || gs.getUser().isMemberOf(current.assignment_group);

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
David Harris1
Tera Contributor
In response to Ankur Bawiskar

2 weeks ago

Thanks but unfortunately member's of a Child Assignment group can still write to the incidents of the Parent Assignment group.

Members of a Parent Assignment group cannot write to the Child Assignment group.

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to David Harris1

2 weeks ago

@David Harris1 

then use GlideRecord on sys_user_grmember and check direct membership

var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', gs.getUserID());
gr.addQuery('group', current.assignment_group.toString());
gr.query();
var isMember = gr.hasNext();

answer = current.caller_id == gs.getUserID() || current.caller_id == '' || isMember;

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader