ACL script on ritm

zeeshan ahmed
Tera Contributor

Hello All,

 

I am creating Read ACL on the RITM table , i have included ITIL role in role condition and Assignment group is dynamic one of my groups or Assigned to is dynamic me in Data Condition(This restriction is working as expected). Along with this i want to also include catalog task assignment groups members to be able to see RITM's . How to include this in ACL script . 

Note: I don't want to use query Business Rule.

Thanks in advance

1 ACCEPTED SOLUTION

@zeeshan ahmed I've created new Read ACL on sc_req_item table with the below script and it's working as expected.

answer = false;
var groups = [];
var tasks = new GlideRecord('sc_task');
tasks.addEncodedQuery('request_item='+current.sys_id);
tasks.query();
while (tasks.next()) {
    if (!gs.nil(tasks.assignment_group)) {
        groups.push(tasks.getDisplayValue('assignment_group'));
    }
}

for (var i = 0; i < groups.length; i++) {
    if (gs.getUser().isMemberOf(groups[i])) {
        answer = true;
		break;
    }
}

 

View solution in original post

7 REPLIES 7

J Siva
Tera Sage

Hi @zeeshan ahmed 

Try the script below. It will fetch the SC task assignment groups and validate whether the currently logged-in user is part of the group or not. Additionally, create a separate ACL for this instead of updating the existing one. This will make it easier to manage.

answer = false;
var groups = [];
var tasks = new GlideRecord('sc_task');
tasks.addEncodedQuery('request_item='+current.sys_id);
tasks.query();
while (tasks.next()) {
    if (!gs.nil(tasks.assignment_group)) {
        groups.push(tasks.getDisplayValue('assignment_group'));
    }
}

for (var i = 0; i < groups.length; i++) {
    if (gs.getUser().isMemberOf(groups[i])) {
        answer = true;
		break;
    }
}

Regards,
Siva

Deepak Shaerma
Kilo Sage

Hi @zeeshan ahmed 

Please check the Advanced Box and use the ACL Script to achieve this requirement only for these type of dynamic conditions:
Sample Script:

(function() {
    var userID = gs.getUserID();
    //Check if user is the Assigned to on RITM
    if (current.assigned_to && current.assigned_to == userID) {
        return true;
    }

    //Check if user is in the RITM assignment group
    if (current.assignment_group) {
        var am = new GlideUserMembership();
        if (am.isMemberOfGroup(userID, current.assignment_group)) {
            return true;
        }
    }

    //Now check if user is member of ANY Catalog Task's Assignment Group linked to this RITM
    // Catalog Tasks are linked to RITM by request_item (field request_item on sc_task)
    var taskGR = new GlideRecord('sc_task');
    taskGR.addQuery('request_item', current.sys_id);
    taskGR.query();
    while (taskGR.next()) {
        var taskAssignmentGroup = taskGR.assignment_group;
        if (taskAssignmentGroup) {
            var gm = new GlideUserMembership();
            if (gm.isMemberOfGroup(userID, taskAssignmentGroup)) {
                return true;
            }
        }
    }
    // If none of the above, deny access
    return false;
})();

If this helps you, please mark my response as Helpful and Accepted Solution. It will help other community members as well.
Regards,
Deepak Sharma



SumanthDosapati
Mega Sage
Mega Sage

@zeeshan ahmed 

Something like this should work

// Get current user ID
var userId = gs.getUserID();

// Query sc_task linked to this RITM
var taskGR = new GlideRecord('sc_task');
taskGR.addQuery('request_item', current.sys_id);
taskGR.query();

while (taskGR.next()) {
    // Check if user is Assigned To
    if (taskGR.assigned_to == userId) {
        answer = true;
        return;
    }

    // Check if user is a member of the Assignment Group
    if (!taskGR.assignment_group.nil()) {
        var groupMemberGR = new GlideRecord('sys_user_grmember');
        groupMemberGR.addQuery('group', taskGR.assignment_group);
        groupMemberGR.addQuery('user', userId);
        groupMemberGR.query();

        if (groupMemberGR.hasNext()) {
            answer = true;
            return;
        }
    }
}

// If none matched, deny access
answer = false;

Accept the solution and mark as helpful if it does, to benefit future readers.
Regards,
Sumanth

Ankur Bawiskar
Tera Patron
Tera Patron

@zeeshan ahmed 

you can use advanced script

share what script did you start with and where are you stuck?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader