ITIL users are able to see and select inactive groups.

Go to solution
mnreddy
Mega Guru

‎09-17-2018 03:20 PM

As per the ServiceNow OOB functionality, only users with admin roles should be able to see the inactive groups in the choice list(In my case on the incident form, we have a field called assignment group reference to sys_user_group table, in that field all the users are being able to see the inactive groups also). This field is using a advance reference qualifier to filter out results. Please help me how can I make inactive groups visible only to admins? The reference qualifier and script as below. Thank you.

I have added "grp.addQuery('group.active', true);" to the below code after doing the research but it doesn't help me resolve this.

Reference qualifier - javascript:new BackfillAssignmentGroup().BackfillAssignmentGroup()

Script include -

var BackfillAssignmentGroup = Class.create();
BackfillAssignmentGroup.prototype = {
initialize: function() {
},

BackfillAssignmentGroup:function() {
var gp = ' ';
var a = current.assigned_to;

//return everything if the assigned_to value is empty
if(!a)
return;
//sys_user_grmember has the user to group relationship
var grp = new GlideRecord('sys_user_grmember');
grp.addQuery('user',a);

grp.addQuery('group.active', true);
grp.query();

while(grp.next())
{

gp += (',' + grp.group);
if (gp.length > 0)
{
//build a comma separated string of groups if there is more than one
gp += (',' + grp.group);
}
else
{
gp = grp.group;
}
}
// return Groups where assigned to is in those groups we use IN for lists
return 'sys_idIN' + gp;
},
type: 'BackfillAssignmentGroup'
}

Labels:
0 Helpfuls
  • 2,807 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage

‎09-17-2018 05:35 PM

This should work, but would only remove it from view for that specific field anyway.  If you really want the out-of-box behavior, then you want this to apply no matter how non-admin users access the group table...not just for the 'Assignment group' field.  That's controlled by a business rule on the 'sys_user_group' table named 'group query'.  It restricts access to inactive groups to just the admin role.  Its default script looks like this and will do exactly what you want if it is in place and the business rule is active...

if (!gs.hasRole("admin") && gs.getSession().isInteractive()) {
  current.addQuery("active", "true");
}

View solution in original post

3 REPLIES 3

Go to solution
Mark Stanger
Giga Sage

‎09-17-2018 05:35 PM

This should work, but would only remove it from view for that specific field anyway.  If you really want the out-of-box behavior, then you want this to apply no matter how non-admin users access the group table...not just for the 'Assignment group' field.  That's controlled by a business rule on the 'sys_user_group' table named 'group query'.  It restricts access to inactive groups to just the admin role.  Its default script looks like this and will do exactly what you want if it is in place and the business rule is active...

if (!gs.hasRole("admin") && gs.getSession().isInteractive()) {
  current.addQuery("active", "true");
}

Go to solution
mnreddy
Mega Guru
In response to Mark Stanger

‎09-18-2018 11:52 AM

Thanks Marks. That is what causing this issue. It is fixed now.

Go to solution
MGanon
Tera Guru

‎09-25-2019 02:33 PM

Since non-admin users are being able to see the inactive groups, did you disable or modify the "group query" business rule?

0 Helpfuls