How can I make work notes visible only to members of a certain role when an Incident is in a certain assignment group?

Denton · ‎01-09-2021

In our environment, we have many non-IT users with ITIL roles. ServiceNow is being used for task assignment for the entire company and all this is run off the Incident table.

(Note: I know how bad this is. I inherited this and did not design it. This question isn't about fixing this, it's about working around it.)

There is a role in our organization simply called "IT." All actual IT users have this role.

What I'm trying to accomplish is to set up an ACL (or other solution) where if an Incident has the "IT Operations" assignment group, only users with the IT role can read or write to the work notes on that Incident. I do not want users with the ITIL role, sn_incident_read, or sn_incident_write roles to see work notes for this assignment group unless they also have the IT role. They should be able to view work notes in other assignment groups w/o impediment.

This feels look it should be easy, but I haven't been able to work it out. It's also very possible I'm just a bad admin. Any help would be appreciated.

Denton · ‎01-09-2021

Ok, I figured out the problem. So apparently, going back to the initial description, yes, I'm a bad admin.

There were separate ACLs for role sn_incident_write for read and write access.
I put a condition in there that said:
Assignment Group IS NOT IT Ops --OR--
Assignment Group IS NOT IT Staff.

The problem: I put an OR into a list of negative conditions (instead of an AND) so of course the whole thing always returned true.

Rookie mistake though I've been doing this for a while now. Sorry to waste your time!

View solution in original post

Ankur Bawiskar · ‎01-09-2021

Hi,

you can have field level READ and WRITE ACL on that field

In the role section give the role -> IT

In the condition field give the condition as -> Assignment Group [IS] IT Operations

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · ‎01-09-2021

@Denton

ACL screenshot

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Denton · ‎01-09-2021

Here is exactly what I have and it does not appear to be working...

Ankur Bawiskar · ‎01-09-2021

Hi,

If you don't want to use ACL then another approach

1) Display BR

if(current.assignment_group.name == 'IT Operations' && gs.hasRole('IT')){
g_scratchpad.isValid = 'true';
}
else{
g_scratchpad.isValid = 'false';
}

2) Client Script:

function onLoad(){

g_form.setDisplay('work_notes', false); // 1st hide it

if(g_scratchpad.isValid == 'true'){

// if valid then show and make it editable

g_form.setDisplay('work_notes', true);

g_form.setReadOnly('work_notes', false);

}

}

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader