ACL to restrict the member in child assignment group to see the tickets which assigned to parent group.

ESL
ServiceNow Employee
ServiceNow Employee

My Helpdesk group is like this. Global is the parent group and some child groups for local support.

find_real_file.png

 

We want to restrict child group member can access the incident ticket which is assigned to them. 
I tried below two methods for the incident ACL but the child group member still can access the tickets which assigned to the parent group.

1) Condition 

Assignment group  is (Dynamic) one of my groups 

2) Script for 

answer = gs.getUser().isMemberOf(current.assignment_group);

 

Please advice if how to use the script to restrict this, and if you have the best practice for this kind of design, it will be appreciate if you can share to me.

Many thanks.

 

1 ACCEPTED SOLUTION

Hi,

As suggested above, please configure the new ACL as per steps provided above.

Reason which may be possible is for why this is not working is because there are OOB ACL rules present on Incident table and if any of them evaluates to True and gives access to any of the Local child group then they will get access to the records/tickets assigned to Parent Group.

So to solve this, you need to modify the existing ACL as well as per steps mentioned below:

1) ACL 1: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=2ae9f9625f011000b12e3572f2b477de

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = new ApproverUtils().canApproversRead();
}else{
	answer = false;
}

2) ACL 2: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da37832c0a801662678a235d68675c6

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

3) ACL 3: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=7da3bda1c0a801667dc88c1e9527f776

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if (gs.getUser().isMemberOf(getGroup)) {
    current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || current.watch_list.indexOf(gs.getUserID()) > -1;
} else {
    answer = false;
}

4) ACL 4: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=be7ff3d1870033000e56d61e36cb0b5b

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

5) ACL 5: Navigate to this link and add the script as shared below:

https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=5f7492d487213300c386d61e36cb0b40

Replace "instance' with your instance name.

var getGroup = current.assignment_group.getDisplayValue();
if(gs.getUser().isMemberOf(getGroup)){
	answer = true;
}else{
	answer = false;
}

 

Check if this works for you or not and we can check further based on your response.

Regards,

Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

View solution in original post

7 REPLIES 7

ESL
ServiceNow Employee
ServiceNow Employee

@shloke04 

Hi, Good day. I have check the design of the user group.
The Local group members belong to Helpdesk_Global and Helpdesk_Local group in the same time, so if we use this script, the local user can access global and local tickets.

But the Global members only belong to the global group. So only Global tickets can be accessed.

ESL
ServiceNow Employee
ServiceNow Employee

@shloke04 

Hi, Good day.

I have check the design of the user group.
The Local group members belong to Helpdesk_Global and Helpdesk_Local group in the same time, so if we use this script, the local user can access global and local tickets.

But the Global members only belong to the global group. So only Global tickets can be accessed.

Yes, was checking the same. When we execute the statement as below, OOB it returns true if there is a Parent Child relationship between groups

gs.getUser().isMemeberOf('Group Name');

So for Child Group member it will always return true when validated for Parent groups as well.

Regards,

Shloke

 

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke