- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2014 12:56 PM
I am hoping someone can help with this dilemma - if it even is one. I'm relatively new to domain separation so I'm fumbling through this a bit.
Right now, we have a domain structure that looks something like this:
TOP
|
TOP/MSP (where MSP has access all data in TOP and all customer domains)
|
TOP/MSP/CUSTOMER1 TOP/MSP/CUSTOMER2 TOP/MSP/CUSTOMER3
We have some users that need to be able to see data in TOP/MSP, TOP/MSP/CUSTOMER1 and TOP/MSP/CUSTOMER2 - but not TOP/MSP/CUSTOMER3.
Would I be able to do achieve this restriction through the use of another third-level domain (for example, TOP/MSP/TECHNICIAN) that had visibility into TOP/MSP, TOP/MSP/CUSTOMER1 and TOP/MSP/CUSTOMER2, but not TOP/MSP/CUSTOMER3?
And if so, would I be able to use that even for a user that needed admin rights to do development, even on things that are global?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2014 03:43 PM
After some assistance from a helpful chap at ServiceNow, I have an answer to my dilemma:
- I created a group that would contain all of the users whom I need to limit access for.
- I created an access control rule for all tables that would check to see if the user was in the "limited access" group and the sys_domain of the record for the domain that needed this restriction.
if (current.sys_domain == {your sys_id} && gs.getUser().isMemberOf({your limiting group sys_id})){ answer = false; } else { answer = true; }
- If you need to apply this to admins, you need to make sure the "admin override" option is unchecked.
- I did have to create a similar, but separate access control role for the sys_user table - not sure why, may be specific to my instance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2014 01:08 PM
Hello,
As far as visibility is concern, I guess you can handle the same. To achieve the requirement you need to follow below steps:
1) Create a new role for User in TOP/MSP who need to view data in TOP/MSP, TOP/MSP/CUSTOMER1 and TOP/MSP/CUSTOMER2 - but not TOP/MSP/CUSTOMER3.
2) Update script include named "DomainSelect' to get the required list of domains. You need to update function named "_getAllDomains".
If you done above changes your all requirements will be fulfilled
Let me know if you have any queries.
Regards,
Solutioner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2014 01:27 PM
So is this in addition to, or instead of, the solution I proposed above?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2014 02:22 PM
This is the implementation of above mention solution
Regards,
Solutioner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2014 01:27 PM
Hello,
I have configured similar configuration in ServiceNow Instance.
If you login with userid/password as admin/admin , you would be able to see domain "MSP Technicians (Optional)" but if you login as itil/itil you will not able to see domain "MSP Technicians (Optional)". I have created new role named "newRole" and updated script include named "DomainSelect"
Regards,
Solutioner
