Access Restriction on RITM - Assignment Groups and Approvers

Mi Mi
Tera Contributor

‎08-17-2022 08:18 AM

Hi

Our organisation requires to restrict access to RITMs based on the assignment groups. For example, the members of assignment group A should be able to view only RIMTs assigned to group A. When a member is in two assignment groups (A & B), he should be able to view only RIMTs assigned to groups A & B. In addition to that, a person in 'requested_for' / 'opened_by' / 'watch_list' should also be able to view his RITMs.

As I am not confident with ACL, I created a before query business rule. The script below works well for the requirements above.

(function executeRule(current, previous /*null when async*/ ) {

    //If the user is part of Group A and does not have 'admin' role, show requested items assigned to them and any requested items they have created
    if (gs.getUser().isMemberOf('Group A') && !gs.hasRole('admin')) {
        var s = gs.getUserID();
        var qc2 = current.addQuery("requested_for", s).addOrCondition("opened_by", s).addOrCondition("watch_list", "CONTAINS", s).addOrCondition('assignment_group', getMyGroups());
    }
   
})(current, previous);

But, the issue is with the approvers. When an approver is a member of an assignment group, he cannot view the RITM that he is approving but can view its summary from the native view if that RITM is assigned to a group other than his.

If you strongly suggest to use ACL, I am not sure which one to use (as I found four relevant sc_req_item Read ACL) and what to change.

I really appreciate your help if anyone can assist me with this.

Thank you in advance.

mm

Labels:
0 Helpfuls
  • 1,054 Views
7 REPLIES 7

Ankur Bawiskar
Tera Patron
Tera Patron

‎08-17-2022 08:22 AM

Hi,

the script you shared is fine.

are you sure the approver user has table level READ ACL?

If yes then it should work fine.

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Mi Mi
Tera Contributor
In response to Ankur Bawiskar

‎08-17-2022 09:44 PM

Hi @Ankur Bawiskar 

Thank you so much for your quick response.

The approvers have the 'approver_user' role. I don't see any other roles that are mentioned in sc_req_item READ ACL added to the approvers. I have found this ACL (Image 1) and thought this might be relevant. The conditional script was only up to "gs.hasRole('itil,sn_request_write')" before I made a change to it. First of all, I added that "sn_request_write" role to an approver group that includes the "approver_user" role. It didn't work. Then, I updated the script in ACL to include "approver_user". It doesn't work too.

The "Requested record not found" (Image 2) appears on the Approval Form on the portal when the approver clicks onto the link from the approval request notification. 

Image 1

find_real_file.png

 

Image 2

find_real_file.png

Please guide me if I did anything wrong.

Thank you in advance.

mm

Preview file
96 KB
Preview file
13 KB
0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Mi Mi

‎08-17-2022 10:14 PM

Hi,

if you disable the Query BR on RITM then is the approver user able to view the record?

regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Mi Mi
Tera Contributor
In response to Ankur Bawiskar

‎08-17-2022 10:52 PM

Of course. The approvers can view the record if that Query BR is disabled. But, we need the access restrictions. Is there any other better way to handle the situation?

Thank you.

mm

0 Helpfuls