ACL to restrict the member in child assignment group to see the tickets which assigned to parent group.

ESL
ServiceNow Employee
ServiceNow Employee

My Helpdesk group is like this. Global is the parent group and some child groups for local support.

find_real_file.png

 

We want to restrict child group member can access the incident ticket which is assigned to them. 
I tried below two methods for the incident ACL but the child group member still can access the tickets which assigned to the parent group.

1) Condition 

Assignment group  is (Dynamic) one of my groups 

2) Script for 

answer = gs.getUser().isMemberOf(current.assignment_group);

 

Please advice if how to use the script to restrict this, and if you have the best practice for this kind of design, it will be appreciate if you can share to me.

Many thanks.

 

1 ACCEPTED SOLUTION

Hi,

As suggested above, please configure the new ACL as per steps provided above.

Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.

So to solve this, you need to modify the existing ACL as well as per steps mentioned below:

1) ACL 1: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = new ApproverUtils().canApproversRead();
}else{
	answer = false;
}

2) ACL 2: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

3) ACL 3: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
    current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
    answer = false;
}

4) ACL 4: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

5) ACL 5: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

 

Check if this works for you or not and we can check further based on your response.

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

View solution in original post

7 REPLIES 7

shloke04
Kilo Patron

Hi,

Please create a Read Operation table Level ACL on Incident table and use as below:

Child Groups will be having access only when they are also part of Parent groups what I am aware of. If they are not part they cannot access parent group members tickets.

below approach should work for you. let me know in case you are facing a trouble here

Script:

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

find_real_file.png

find_real_file.png

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

ESL
ServiceNow Employee
ServiceNow Employee

Hi, Thank you for replay.

I have tried this one, the Local_A group cannot see the tickets assigned to Local_B but still can access the tickets assigned to Global team.

I don't want the Local_A group can access the tickets assigned to Global team.
Is it necessary to compare the sys_id of the group?

Thanks.

Hi,

As suggested above, please configure the new ACL as per steps provided above.

Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.

So to solve this, you need to modify the existing ACL as well as per steps mentioned below:

1) ACL 1: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = new ApproverUtils().canApproversRead();
}else{
	answer = false;
}

2) ACL 2: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

3) ACL 3: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
    current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
    answer = false;
}

4) ACL 4: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

5) ACL 5: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

 

Check if this works for you or not and we can check further based on your response.

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

ESL
ServiceNow Employee
ServiceNow Employee

Hi Shloke04

Thanks for response. I have add the script to those OOTB incident ACLs. I can show you my test result.

I created 5 incidents, 2 for global, 2 for US, 1 for Canada.

find_real_file.png

 

When I impersonate Helpdesk_USA user or Helpdesk_canada user, the Local and Global tickets can be accessed.

find_real_file.png

find_real_file.png

 

But when I impersonate Helpdesk_global user, only global tickets can be accessed.

find_real_file.png

 

It ’s the exact opposite of what I expected, I think Global user might access all tickets include global and local, and local user only can access the local tickets. Maybe I need to check the parent-child relationship between groups.

 

Many thanks