How can I prevent user from creating Incident with direct URL access?

dennisfoster · ‎10-04-2017

I have created self-service record producer for all users to enter Incidents. I've done everything to prevent unauthorized user from select "New" incident from the Service Desk view.

One of our developers discovered 'by accident' that if he browses to InstanceName.Service-Now.com/Incident.do that an new Incident record opens up.

Is there any way to modify this behavior? The same functionality is seen if they browse to badly formed URL. They were trying to create a incident.do?NUMBER=INC011233 URL for a notification and since it was invalid, a new Incident record popped up.

Any pointers would be helpful,

Thanks,

Dennis

Aditya Telideva · ‎10-04-2017

Hi Dennis,

It may be easier to create an access control that only allows the user to create Incidents of they have the ITIL role.

https://wiki.servicenow.com/index.php?title=Using_Access_Control_Rules#Creating_ACL_Rules

Also, The "New" UI action that is shown on the Incident list accessed from Self Service is not the same action that is shown when viewing a list of "Open" incidents from the Incident application. The Self Service Incident module should take the user to a service catalog offering to create a new incident by default, while the Incident module within the Incident application will take the user to a blank incident form. The defaults do not allow users without the "itil" role to access the Incident application, so your Self Service users should only have the Self Service Incident module available to them.

The "New" UI action that shows within the Self Service Incident module is defined on the "Incident" table for users who do not have the "itil" role and on the "global" table for users who *do* have the "itil" role.

Thanks,

Aditya Telidevara

gtalreja · ‎10-04-2017

Hello Denis,

Creating "Access Control list" rule is the solution to your query.A table level or a Row level ACL is required in order to restrict user access to the table directly. See below link how can you create ACL's.

Create an ACL rule

Chuck Tomasi · ‎10-04-2017

Hi Dennis,

What is the underlying issue here? I ask because if you block users from using that URL to create a new issue, they are blocked entirely. The incident.do part says "Take me to the form". If there's no information after it (like a record ID, etc) it's going to bring up a new blank for - which is what you want if you would like to create a new form - even as the landing page from a record producer that generates incidents.

This is a very tricky situation and should be thoroughly thought through on what you want to do and how it may impact others.

Things like:

How likely are people to do this on a daily basis? Is it just a few "testers" playing around or is it a systemic threat?
What is the risk/impact of leaving it open?

Sometimes enacting a statement or policy (Please submit new records from the menu/portal only) is easier than trying to find a custom technical solution that a) bites you in the back side in the future - and b) trying to disable it when nobody remembers how it was built.

Just my experience of similar situations on other systems.

Meshia · ‎01-15-2020

create a role called "create new incident" or something similar. Create an ACL that only gives users access to create a new incident if they have that role.

create a business rule that prevents the user from using the "insert" function to create a new incident.

Set the condition to run the rule when the description field is empty.

Check the box next to Abort Operation

You can also add a message if you want to.