Facing issue in setting the ACL as per the requirement.

jaymala_marathe · ‎08-06-2024

Hello ServiceNow Community,

We are working on a requirement where we need to add a new “Confidential” checkbox to incident tickets and requests also on service operations workspace incidents and requests. When this checkbox is checked, we want the record to be visible only to specific users under the following conditions:

• Requester or Caller
• Member of the Assigned Group
• Assigned to User
• User on the Ticket’s Watchlist
• System Administrator
• New role- Confidential Viewer

We want to ensure that no other IT support staff have visibility of these tickets when the “Confidential” checkbox is checked. Additionally, we currently have a read ACL for ITIL role on the incident table.

Could anyone please advise on the best approach to implement this functionality in ServiceNow? Any guidance on how to configure the visibility settings, adjust the ACLs, or best practices for handling such security requirements would be greatly appreciated.

Thank you in advance for your assistance.

ShubhamGarg · ‎08-06-2024

Hello @jaymala_marathe ,

Lets break down this requirement into 2 sub-requirement -

1. All users should be able to read incidents except the one with confidential = true
2. Specific users should be able to read all the incidents including confidential = true

Read ACL to itil role is already provided.

You can use both Query Business & ACL in combination to fulfil this requirement.

->In order to hide the error (Security constraint...) from users who should not see the record with confidential = true, Query BR should be applied on record level.
->In order to have highly efficient security on field level, ACL is the best option.

So both would serve your purpose.

Post development, Use access analyzer to have a clear picture on resource level access restrictions.

Let me know if you need any further inputs.

Kindly mark this as Accepted Solution/Helpful if above info. helps in any way and help in closing this thread.

Regards,

Shubham

Mark Manders · ‎08-06-2024

I would adjust the query business rule for this. It prevents the annoying 'security constraints prevent...' message. You can go through ACL's, but there already are a lot of them and you would need to assure that all of them also check on the checkbox.

(function executeRule(current, previous /*null when async*/) {
    var userId = gs.getUserID();
    var userRoles = gs.getUser().getRoles();
    
    // Check if user has confidential_viewer or admin role
    if (gs.hasRole('confidential_viewer') || gs.hasRole('admin')) {
        return;
    }
    
    // Apply the condition only if the confidential checkbox is checked
    if (current.u_confidential) {
        // Restrict the query to only those who should see the record
        var gr = new GlideRecord('sys_user_grmember');
        gr.addQuery('group', current.assignment_group);
        gr.addQuery('user', userId);
        gr.query();

        // Build a condition to add to the query
        var canView = (
            current.caller_id == userId || 
            current.opened_by == userId ||
            current.assigned_to == userId ||
            current.watch_list.toString().indexOf(userId) != -1 ||
            gr.hasNext()
        );

        // If the user does not meet any condition, restrict access
        if (!canView) {
            current.addQuery('sys_id', '=', ''); // No record will match
        }
    }
})(current, previous);

It could be something like this, although I didn't test it, due to a sleeping PDI.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

jaymala_marathe · ‎08-12-2024

Updated Requirement: If a user has the ITIL role, they should only be able to view records where the confidential checkbox is set to true. The ACL will remain unchanged. Create a business rule where, if the logged-in user has both the ITIL and Confidential Viewer roles, they should only be able to see records with the confidential checkbox set to true.

ShubhamGarg · ‎08-12-2024

Hello @jaymala_marathe ,

Have you happened to follow the steps I provided above?

Regards,

Shubham