ACL to restrict the member in child assignment group to see the tickets which assigned to parent group.

ESL · ‎01-05-2022

My Helpdesk group is like this. Global is the parent group and some child groups for local support.

We want to restrict child group member can access the incident ticket which is assigned to them.
I tried below two methods for the incident ACL but the child group member still can access the tickets which assigned to the parent group.

1) Condition

Assignment group  is (Dynamic) one of my groups

2) Script for

answer = gs.getUser().isMemberOf(current.assignment_group);

Please advice if how to use the script to restrict this, and if you have the best practice for this kind of design, it will be appreciate if you can share to me.

Many thanks.

shloke04 · ‎01-06-2022

Hi,

As suggested above, please configure the new ACL as per steps provided above.

Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.

So to solve this, you need to modify the existing ACL as well as per steps mentioned below:

1) ACL 1: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = new ApproverUtils().canApproversRead();
}else{
	answer = false;
}

2) ACL 2: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

3) ACL 3: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
    current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
    answer = false;
}

4) ACL 4: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

5) ACL 5: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

Check if this works for you or not and we can check further based on your response.

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

View solution in original post

shloke04 · ‎01-05-2022

Hi,

Please create a Read Operation table Level ACL on Incident table and use as below:

Child Groups will be having access only when they are also part of Parent groups what I am aware of. If they are not part they cannot access parent group members tickets.

below approach should work for you. let me know in case you are facing a trouble here

Script:

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

ESL · ‎01-05-2022

Hi, Thank you for replay.

I have tried this one, the Local_A group cannot see the tickets assigned to Local_B but still can access the tickets assigned to Global team.

I don't want the Local_A group can access the tickets assigned to Global team.
Is it necessary to compare the sys_id of the group?

Thanks.

shloke04 · ‎01-06-2022

Hi,

As suggested above, please configure the new ACL as per steps provided above.

Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.

So to solve this, you need to modify the existing ACL as well as per steps mentioned below:

1) ACL 1: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = new ApproverUtils().canApproversRead();
}else{
	answer = false;
}

2) ACL 2: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

3) ACL 3: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
    current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
    answer = false;
}

4) ACL 4: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

5) ACL 5: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

Check if this works for you or not and we can check further based on your response.

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

ESL · ‎01-06-2022

Hi Shloke04

Thanks for response. I have add the script to those OOTB incident ACLs. I can show you my test result.

I created 5 incidents, 2 for global, 2 for US, 1 for Canada.

When I impersonate Helpdesk_USA user or Helpdesk_canada user, the Local and Global tickets can be accessed.

But when I impersonate Helpdesk_global user, only global tickets can be accessed.

It ’s the exact opposite of what I expected, I think Global user might access all tickets include global and local, and local user only can access the local tickets. Maybe I need to check the parent-child relationship between groups.

Many thanks