- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 05:29 PM
My Helpdesk group is like this. Global is the parent group and some child groups for local support.
We want to restrict child group member can access the incident ticket which is assigned to them.
I tried below two methods for the incident ACL but the child group member still can access the tickets which assigned to the parent group.
1) Condition
Assignment group is (Dynamic) one of my groups
2) Script for
answer = gs.getUser().isMemberOf(current.assignment_group);
Please advice if how to use the script to restrict this, and if you have the best practice for this kind of design, it will be appreciate if you can share to me.
Many thanks.
Solved! Go to Solution.
- Labels:
-
Incident Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 02:48 AM
Hi,
As suggested above, please configure the new ACL as per steps provided above.
Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.
So to solve this, you need to modify the existing ACL as well as per steps mentioned below:
1) ACL 1: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = new ApproverUtils().canApproversRead();
}else{
answer = false;
}
2) ACL 2: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
3) ACL 3: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
answer = false;
}
4) ACL 4: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
5) ACL 5: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
Check if this works for you or not and we can check further based on your response.
Regards,
Shloke
Regards,
Shloke
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 07:19 PM
Hi,
Please create a Read Operation table Level ACL on Incident table and use as below:
Child Groups will be having access only when they are also part of Parent groups what I am aware of. If they are not part they cannot access parent group members tickets.
below approach should work for you. let me know in case you are facing a trouble here
Script:
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
Hope this helps. Please mark the answer as correct/helpful based on impact.
Regards,
Shloke
Regards,
Shloke
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 08:21 PM
Hi, Thank you for replay.
I have tried this one, the Local_A group cannot see the tickets assigned to Local_B but still can access the tickets assigned to Global team.
I don't want the Local_A group can access the tickets assigned to Global team.
Is it necessary to compare the sys_id of the group?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 02:48 AM
Hi,
As suggested above, please configure the new ACL as per steps provided above.
Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.
So to solve this, you need to modify the existing ACL as well as per steps mentioned below:
1) ACL 1: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = new ApproverUtils().canApproversRead();
}else{
answer = false;
}
2) ACL 2: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
3) ACL 3: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
answer = false;
}
4) ACL 4: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
5) ACL 5: Navigate to this link and add the script as shared below:
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40
Replace "instance' with your instance name.
var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
answer = true;
}else{
answer = false;
}
Check if this works for you or not and we can check further based on your response.
Regards,
Shloke
Regards,
Shloke
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2022 05:21 PM
Hi Shloke04
Thanks for response. I have add the script to those OOTB incident ACLs. I can show you my test result.
I created 5 incidents, 2 for global, 2 for US, 1 for Canada.
When I impersonate Helpdesk_USA user or Helpdesk_canada user, the Local and Global tickets can be accessed.
But when I impersonate Helpdesk_global user, only global tickets can be accessed.
It ’s the exact opposite of what I expected, I think Global user might access all tickets include global and local, and local user only can access the local tickets. Maybe I need to check the parent-child relationship between groups.
Many thanks