Hi

Our organisation requires to restrict access to RITMs based on the assignment groups. For example, the members of assignment group A should be able to view only RIMTs assigned to group A. When a member is in two assignment groups (A & B), he should be able to view only RIMTs assigned to groups A & B. In addition to that, a person in 'requested_for' / 'opened_by' / 'watch_list' should also be able to view his RITMs.

As I am not confident with ACL, I created a before query business rule. The script below works well for the requirements above.

(function executeRule(current, previous /*null when async*/ ) {

    //If the user is part of Group A and does not have 'admin' role, show requested items assigned to them and any requested items they have created
    if (gs.getUser().isMemberOf('Group A') && !gs.hasRole('admin')) {
        var s = gs.getUserID();
        var qc2 = current.addQuery("requested_for", s).addOrCondition("opened_by", s).addOrCondition("watch_list", "CONTAINS", s).addOrCondition('assignment_group', getMyGroups());
    }
   
})(current, previous);

But, the issue is with the approvers. When an approver is a member of an assignment group, he cannot view the RITM that he is approving but can view its summary from the native view if that RITM is assigned to a group other than his.

If you strongly suggest to use ACL, I am not sure which one to use (as I found four relevant sc_req_item Read ACL) and what to change.

I really appreciate your help if anyone can assist me with this.

Thank you in advance.

mm