For ITAM User Group, I need to make some fields of Computer Table, to be Read-Only.

AbdurRahmanSnow · ‎01-19-2025

Good evening.
I have a requirement, that for ITAM User Group (sys_id), I need to make some fields of Computer Table, to be Read-Only. So, to achieve this, I used UI Policy script, instead of ACL.

The code works but I doubt that, there might be some error in the code, which could affect other groups. The script is below:

function onCondition() {

var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';

// Get the current user's groups

var userGroups = gs.getUser().getMyGroups();

// Check if the user belongs to the ITAM User Group

var isITAMUser = false;

while (userGroups.next()) {

if (userGroups.sys_id == itamUserGroupSysId) {

isITAMUser = true;

break;

}

// Return true if the user is in the ITAM User Group

return isITAMUser;

}

Viraj Hudlikar · ‎01-19-2025

Hello @AbdurRahmanSnow

Your script looks mostly correct, but there are a few improvements and corrections you can make to ensure it works as intended without affecting other groups. Here's a revised version of your script:

function onCondition() {
    var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
   
    // Get the current user's groups
    var userGroups = gs.getUser().getMyGroups();
   
    // Check if the user belongs to the ITAM User Group
    var isITAMUser = false;
    while (userGroups.hasNext()) {
        var group = userGroups.next();
        if (group.getValue('sys_id') == itamUserGroupSysId) {
            isITAMUser = true;
            break;
        }
    }
  
    // Return true if the user is in the ITAM User Group
    return isITAMUser;
}

Using an Access Control List (ACL) is generally considered the best practice for making fields read-only in ServiceNow, especially when you need to enforce security at the server level.

You can create a field level read ACL and include script as below.

var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
    var group = userGroups.next();
    if (group.getValue('sys_id') == itamUserGroupSysId) {
        isITAMUser = true;
        break;
    }
}
answer = !isITAMUser;

For your requirement, using an ACL is the most secure and reliable method to make fields read-only for specific user groups. UI Policies and Client Scripts can complement ACLs for additional client-side control and user experience enhancements.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards
Viraj Hudlikar.

View solution in original post

Mark Manders · ‎01-19-2025

A UI policy won't protect fields on a list, so doing this with a UI policy will work, but is far from ideal and also not best practice. Just create an ACL for this. If you are on Xanadu it will be very easy, because you can create a 'deny-unless' write ACL for the field and use the security attributes for the group membership. No need for any scripting.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

View solution in original post

AbdurRahmanSnow · ‎01-20-2025

I found the solution for this using ACL. I combined the answers from @Viraj Hudlikar and @Mark Manders.
What I did was., (below). (Also, UI Policy script was not working properly. Therefore, removed.)

1) Firstly, I created a table.None (Read operation, irrespective of the Role).
2) Then I created table.Fields for all the fields, one-by-one, inside those field ACLs, then I gave "Write" Operation for "Deny Unless" (Mark's idea) and wrote the script (provided by Viraj), without mentioning Roles or Conditions section.
Screenshots are attached below.

Script

var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
    var group = userGroups.next();
    if (group.getValue('sys_id') == itamUserGroupSysId) {
        isITAMUser = true;
        break;
    }
}
answer = !isITAMUser;

Thanks a lot.

View solution in original post

Viraj Hudlikar · ‎01-19-2025

Hello @AbdurRahmanSnow

Your script looks mostly correct, but there are a few improvements and corrections you can make to ensure it works as intended without affecting other groups. Here's a revised version of your script:

function onCondition() {
    var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
   
    // Get the current user's groups
    var userGroups = gs.getUser().getMyGroups();
   
    // Check if the user belongs to the ITAM User Group
    var isITAMUser = false;
    while (userGroups.hasNext()) {
        var group = userGroups.next();
        if (group.getValue('sys_id') == itamUserGroupSysId) {
            isITAMUser = true;
            break;
        }
    }
  
    // Return true if the user is in the ITAM User Group
    return isITAMUser;
}

Using an Access Control List (ACL) is generally considered the best practice for making fields read-only in ServiceNow, especially when you need to enforce security at the server level.

You can create a field level read ACL and include script as below.

var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
    var group = userGroups.next();
    if (group.getValue('sys_id') == itamUserGroupSysId) {
        isITAMUser = true;
        break;
    }
}
answer = !isITAMUser;

For your requirement, using an ACL is the most secure and reliable method to make fields read-only for specific user groups. UI Policies and Client Scripts can complement ACLs for additional client-side control and user experience enhancements.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards
Viraj Hudlikar.

AbdurRahmanSnow · ‎01-20-2025

Hi Viraj. Thank you for this. But when I used your UI Policy script, Computer table fields are also getting Read-only for Admin too. This should not happen.

If we go with ACL script, your script is making those fields hidden, but not Read-only.
Please help me out.

Requirement: For ITAM User Group, make the fields: Read only should be Name, Manufacturer, Location, Company, Serial Number, model ID, Division, and Install status., as Read-Only.

AbdurRahmanSnow · ‎01-20-2025

I found the solution for this using ACL. I combined the answers from @Viraj Hudlikar and @Mark Manders.
What I did was., (below). (UI Policy script was not working properly. Therefore, removed.)

1) Firstly, I created a table.None (Read operation, irrespective of the Role).
2) Then I created table.Fields for all the fields, one-by-one, inside those field ACLs, then I gave "Write" Operation for "Deny Unless" (Mark's idea) and wrote the script (provided by Viraj), without mentioning Roles or Conditions section.
Screenshots are attached below.

Script

var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
    var group = userGroups.next();
    if (group.getValue('sys_id') == itamUserGroupSysId) {
        isITAMUser = true;
        break;
    }
}
answer = !isITAMUser;

Thanks a lot.

Mark Manders · ‎01-19-2025

A UI policy won't protect fields on a list, so doing this with a UI policy will work, but is far from ideal and also not best practice. Just create an ACL for this. If you are on Xanadu it will be very easy, because you can create a 'deny-unless' write ACL for the field and use the security attributes for the group membership. No need for any scripting.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark