Limit View to only Assignments on Catalog Tasks

kevinthury · ‎11-09-2017

New to SN. Using Istanbul

Is there a preferred method for allowing individuals who do not have the itil role the ability to read/edit catalog tasks that are assigned to a specific group? We would like people on the business side to get an assignment from a Catalog Item, review and/or edit the variables, and close the task so it can continue to IT to finish up the request. To complicate matters, we want to limit the view for the business side to only see those records in which they have an sctask assigned to them.

For this business side, I have created a group called 'CVS' and I will add specific non-itil users to this group. When the Catalog Item is submitted, the first activity is to create a catalog task to CVS. I would like to give access to the members of this group to read and edit these tasks, but not have the ability to see any other records within the application.

Other threads I have read suggest business rules or ACL restrictions, but have not had good results.

Any suggestions on the best approach for this?

sachin_namjoshi · ‎11-09-2017

You can achive this using ACLs.

ACL is best method to achieve this requirement.

Regards,

Sachin

ccajohnson · ‎11-09-2017

I would suggest using a custom role for your group. That way you can use that role in your ACL definitions, as well as the before Query business rule. If you do not have a naming convention established for custom roles, I would suggest using a common prefix (eg, acme_) in front of your custom role to distinguish it from OOB roles. For my example, I will be using acme_sc_task_user as the role name.

You will then need to make sure that you create ACL definitions that use this role. Mimic what is used for the sc_task table and includes the itil role. From what I can tell, these are the following:

sc_task (read)

sc_task.* (read)

sc_task (write)

If you can successfully get a member of the group with that role to see and edit a task record, it is now a matter of writing a Business rule that runs before Query. You can model your script after the existing Business Rule on the Incident table called: incident query

What that script does is build a query string that will be used based upon conditions of the record and the person attempting to query the table. You will need to have multiple if statements that builds the query for the following scenarios:

- User does not have either the custom or itil role.

- User has the custom role, but not itil

- User has the itil role.

If you get stuck, just let us know and we can troubleshoot accordingly.

kevinthury · ‎11-13-2017

Thanks Christopher. I do have a new role created and the three ACLs setup accordingly.

Group = CVS

Role = cvs_sc_task_user

Business Rule

Table = Catalog Taslk [sc_task]

When = before

Query = Checked

Script:

When impersonating a user from that group, I am only able to edit certain fields on a SCTASK. I fear there are other ACLs in play and I don't know how to debug. I'll have to hunt them down.