Assignment group members can edit respective incident. for other users incident should be read only

Go to solution
abc1233
Tera Contributor

18 hours ago

Only Assignment group members can edit respective incident. for other users incident should be read only except worknotes , worknotes should be editable to all itil users, please give me "Deny Unless" ACL because if im trying to create normal ACl , because of OOB ACL's my ACL is not working.

0 Helpfuls
  • 337 Views
1 ACCEPTED SOLUTION

Go to solution
Anand__99
Kilo Sage

14 hours ago - last edited 14 hours ago

Hi @abc1233 ,

 

You need to create two Deny Unless ACL's to achieve this: -

1) Create a Deny Unless ACL on write operation

Make sure you are not creating it on table but on field level - incident.*

If you create incident.none it is going to restrict write access to all records which do not satisfy condition, it's not going to check for your field level ACL

Anand__99_4-1780665198382.png

Anand__99_5-1780665229383.png

 

 

 

2) Create a Deny Unless ACL on write operation to allow adding work notes

Anand__99_3-1780665165920.png

 

 

If this solves your query mark this as correct/helpful.

 

Thanks

Anand

View solution in original post

0 Helpfuls
11 REPLIES 11

Go to solution
Tanushree Maiti
Tera Patron
In response to abc1233

17 hours ago

Hi @abc1233 

 

Could you use Access Analyzer to identify which ACL is causing the access issue? It should help pinpoint the specific table- or field-level ACL that is denying access and provide insight into the ACL evaluation path.

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti
0 Helpfuls

Go to solution
PoonkodiS
Giga Sage

18 hours ago

Hi @abc1233 

you have to create two acl

1. type:record

 operation :write

table :incident.none

role :itil

decision type : deny unless

condition : assignment group| is (dynamic) |one of my groups 

 

2.

type:record

 operation :write

table :incident.work_notes

role :itil

decision type : Allow if

 

Restrict for ITIL Users - should not see the other groups tickets - Support and Troubleshooting - No...

 

Servicenow evaluates deny unless before allow if acl

 

 

0 Helpfuls

Go to solution
abc1233
Tera Contributor
In response to PoonkodiS

18 hours ago - last edited 18 hours ago

Hi @PoonkodiS 

I tried this but still worknotes are not editable

0 Helpfuls

Go to solution
PoonkodiS
Giga Sage

17 hours ago

Hi @abc1233 

1.create a row level acl

type:record

operation :write

table :incident.none

role :itil

2.

type:record

operation :write

table :incident.*

decision type : deny unless

script :

// If user is in the group, allow editing. If not, block it.
if (current.assignment_group.nil() || gs.getUser().isMemberOf(current.assignment_group)) {
answer = true;
} else {
answer = false;
}

 

3.

type:record

operation :write

table :incident.work_notes

role :itil

decision type : Allow if

 

0 Helpfuls

Go to solution
abc1233
Tera Contributor
In response to PoonkodiS

17 hours ago

@PoonkodiS i tried this as well but no luck😑

0 Helpfuls