Self Service Permissions - see all tickets for company

kchorny · ‎02-25-2015

In the past, we've had ticketing systems that allowed self-service users to be defined as "managers" which allowed them to see all incidents/requests opened by anyone in their company, rather than just their own. We have a customer requirement to implement the same functionality in ServiceNow. It is my understanding that this functionality is not present out of the box....?

If you were faced with this requirement, how would you approach it? I'm not even sure where to start. I do know that it can not be role driven, so I intend to create a security group to control access.

Thanks for any input!

Karla

Brad Tilton · ‎02-26-2015

Yeah that does indicate an ACL issue. It looks like your acl is actually running against the active field. Change Active to None on the ACL and see what happens.

View solution in original post

Brad Tilton · ‎02-25-2015

You could do something like that with a security group like you've said. You'll likely need to do some updates in 2 different places. The first will be modifying access controls and the second is modifying any query business rules like Incident query.

kchorny · ‎02-25-2015

Thanks for the jump start. Here's what I've done so far:

1. Created a security group called Customer Managers

2. Added a self-service user to that group for testing

3. Created a Company Incidents module in the Self-Service application which displays only active incidents belonging to My Company (dynamic query).

4. Modified the global incident query business rule.

- it used to be this:

if (!gs.hasRole("itil") && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

- now it is this (although probably incorrect - I always get the conditions of reference fields wrong):

if (!gs.hasRole("itil") && gs.isInteractive()) {

var u = gs.getUserID();

var uComp = u.company;

if (u.isMemberOf('Customer Managers')) {

var qc = current.addQuery("company", uComp.name);

}

else {

var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

5. I also created an ACL (which I have no experience with, so am winging it) that looks like this with no role requirements:

When logged in as the user mentioned in #2, the Company Incidents link yields no results, even though there are active incidents for that company. What am I missing/doing wrong?

Thanks!

Karla

Brad Tilton · ‎02-26-2015

Hi Karla,

I think you're close, but you can't dot-walk from the user object. Try this instead in your query business rule:

if (!gs.hasRole("itil") && gs.isInteractive()) {


   var myUserObject = gs.getUser();


   var uComp = myUserObject.getCompanyID();


   if (myUserObject.isMemberOf('Customer Managers') && uComp != '') {


           var qc = current.addQuery("company", uComp);


   } else {


           var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


           gs.print("query restricted to user: " + u);


   }


}

kchorny · ‎02-26-2015

Thanks, Brad. That gets me closer, I believe. Now, instead of an empty list, I get "Number of rows removed from this list by Security constraints: 1" (which is the correct number of incidents that are active for this customer in dev). Does this indicate a problem with the ACL?