Restrict user to resolve the P1/P2 incidents. and only Group-A should have access to resolve them

bankuru bhargav · ‎03-13-2024

Hi All,

I'm trying to restrict, the users to resolve the P1/P2 incidents. and only Group-A have access to resolve the P1/P2 Incident. how can we achieve

Dr Atul G- LNG · ‎03-13-2024

My friend.,

we need to update this condition and add Priority as well. So update it and then test.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

Deepak Shaerma · ‎03-18-2024

Hi @bankuru bhargav

### Step 1: Define a User Group for Group-A
First, ensure that “Group-A” is clearly defined in your ServiceNow instance with the appropriate users added to it.

1. Navigate to User Administration > Groups.
2. Check if “Group-A” exists. If not, click “New” to create it and add users accordingly.

### Step 2: Create an Access Control Rule (ACL)
Create an ACL to enforce the restriction on changing the incident state to resolved for P1/P2 incidents except for users in “Group-A”.

1. Navigate to System Security > Access Control (ACL).
2. Click “New” to create a new ACL.
3. For the Type, select “Record”.
4. For the Operation, choose “Write”.
5. For the Name or Table, select “Incident [incident]”.
6. Conditions: Specify conditions to match P1 and P2 incidents. This could look like: [Priority] [is] [1 - Critical] or [Priority] [is] [2 - High]. You may need to create two separate ACLs for P1 and P2 if you cannot adequately define this in a single condition.
7. Script: Use a script to check if the user is part of “Group-A”. Below is a sample script you might use. Adjust “group_a_sys_id” to the actual sys_id of Group-A.

(function executeRule(current, previous /null when async/) {
    // This gets the sys_id of the Group-A; replace ‘group_a_sys_id’ with actual sys_id
    var groupASysId = ‘group_a_sys_id’; // Example sys_id
    var userGrpMember = new GlideRecord(‘sys_user_grmember’);
    userGrpMember.addQuery(‘group’, groupASysId);
    userGrpMember.addQuery(‘user’, gs.getUserID());
    userGrpMember.query();
    if (userGrpMember.next()) {
        // User is in Group-A, allow write
        return true;
    }
    
    // If the code reaches here, the user is not in Group-A, prevent write unless read-only fields
    return false;
})();

save and test.
Note: Please Mark this Helpful and Accepted Solution. If this Helps you to understand. This will help us a lot.
Thanks & Regards
Deepak Sharma

Mark Manders · ‎03-18-2024

How are your P1/P2 incidents resolved? If it is through the 'resolve' button, you can easily change the conditions on the button (ui action) as has already been answered.

If it is through changing the state of the form itself, you will need to create some logic that will limits that. Question is: what's your process? It would be easy to just put 'write' roles on the state field on P1/P2 incidents for only this group or groups, but if others are supposed to work on it, just not resolve, other logic may need to apply. Question is: what is that logic.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark