Restrict Access to Incidents While In Some Assignment Groups

Go to solution
JamesLindsay
Giga Guru

‎08-15-2024 07:47 AM

I have an issue where ITIL users who are not members of a set of assignment groups are moving tickets out of the assignment groups and I want to prevent that. Let's say I have AGs A, B, and C where, incidents of a fairly specific type fall. I only want members of the AGs A, B, and C to be able to move them to another AG. I've tried a BR with only limited success and I'm not sure how to approach this with ACLs. We do not have the Data Filtration plugin.

0 Helpfuls
  • 650 Views
1 ACCEPTED SOLUTION

Go to solution
Slava Savitsky
Giga Sage
In response to JamesLindsay

‎08-15-2024 08:57 AM

Try this in a "before update" business rule:

var groupA = 'sys_id_of_group_A';
var groupB = 'sys_id_of_group_B';
var groupC = 'sys_id_of_group_C';

var currentUser = gs.getUser();
var isMemberOfA = currentUser.isMemberOf(groupA);
var isMemberOfB = currentUser.isMemberOf(groupB);
var isMemberOfC = currentUser.isMemberOf(groupC);

if (!isMemberOfA && !isMemberOfB && !isMemberOfC) {
    gs.addErrorMessage(gs.getMessage('You are not allowed to reassign incidents from this group.'));
    current.setAbortAction(true);
}

 

Make sure to add an appropriate condition:

current.assignment_group.changes() && (previous.assignment_group == 'sys_id_of_group_A'  || previous.assignment_group == 'sys_id_of_group_B' || previous.assignment_group == 'sys_id_of_group_C')​

 


Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/

View solution in original post

3 REPLIES 3

Go to solution
Slava Savitsky
Giga Sage

‎08-15-2024 08:24 AM

Indeed, you can either use ACLs to allow write access to the Assignment Group field only for members of the current assignment group or a "before update" business rule to abort the transaction if someone who is not in the current assignment group tries to reassign the record. In either case, you would need to check group membership of the current user with a script similar to this:

 

gs.getUser().isExplicitMemberOf(current.assignment_group) // true if the user is in the current assignment group

// OR

gs.getUser().isMemberOf(current.assignment_group) // true if the user is in the current assignment group or any of its child groups

 

What does your business rule look like? And what exactly do you mean by "limited success"?

 


Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/
0 Helpfuls

Go to solution
JamesLindsay
Giga Guru
In response to Slava Savitsky

‎08-15-2024 08:41 AM

I think I need to be more specific. AG A(Members 1,2); AG B(Members 3,4); AG C(Members 1,3,5). Anyone in any of these groups can update an incident record in any of these groups. Only when the incident is no longer in these groups should any other ITIL user be able to update the incident.

This is a before query BR. Initially I thought I'd try to remove them from even being found unless you were a member of any of these groups or an admin. It's been a bit since I hacked at this so I can;t say for sure what state it is actually in right now.

 

(function executeRule(current, previous /*null when async*/ ) {
    gs.log("The User Is: "+ gs.getUserDisplayName(), 'NOC_GroupA');
    var NOCgrp = ['e249c71ddb6148507c567fc88c961997', 'ae9834e2db0a1700d74ff3861d9619f5', '84af4406dbb3d3849ca773c58c9619ff', '61e8ff2c6fe5710076a3f59eae3ee4cd', '5d8785020ffcbe80880d46ace1050e79', 'a1e8ff2c6fe5710076a3f59eae3ee4cb', '55faf0c0db0c04907c567fc88c96198e'];
    var grpSize = NOCgrp.length;
    for (var i = 0; i < grpSize; i++) {
        //var grp = current.addNullQuery('assignment_group').addOrCondition('assignment_group','!=','e249c71ddb6148507c567fc88c961997');    
        gs.log("Checking NOC Group: " + NOCgrp[i], 'NOC_GroupA' + i);
        var grp = current.addNullQuery('assignment_group').addOrCondition('assignment_group', '!=', NOCgrp[i]);
        gs.log("grp is: " + NOCgrp[i], 'NOC_GroupA' + i);
        //if (!grp) {}
    }
})(current, previous);
 
Limited success means this is only evaluating a single group.
0 Helpfuls

Go to solution
Slava Savitsky
Giga Sage
In response to JamesLindsay

‎08-15-2024 08:57 AM

Try this in a "before update" business rule:

var groupA = 'sys_id_of_group_A';
var groupB = 'sys_id_of_group_B';
var groupC = 'sys_id_of_group_C';

var currentUser = gs.getUser();
var isMemberOfA = currentUser.isMemberOf(groupA);
var isMemberOfB = currentUser.isMemberOf(groupB);
var isMemberOfC = currentUser.isMemberOf(groupC);

if (!isMemberOfA && !isMemberOfB && !isMemberOfC) {
    gs.addErrorMessage(gs.getMessage('You are not allowed to reassign incidents from this group.'));
    current.setAbortAction(true);
}

 

Make sure to add an appropriate condition:

current.assignment_group.changes() && (previous.assignment_group == 'sys_id_of_group_A'  || previous.assignment_group == 'sys_id_of_group_B' || previous.assignment_group == 'sys_id_of_group_C')​

 


Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/