- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-18-2022 11:33 AM
Hi there, we have a need to add some more groups to our ServiceNow instance.
Essentially what I'm looking for is the following:
Current groups (A, B, C) should have full itil access to see Assets, Incidents, Request Items, etc. The new group (D) should only have access to the Incident table, and should only be able to see the incidents assigned to their own group.
I tried creating a new role to do this, and gave that role read/write access to only the incidents that are in their assignment group (as well as an ACL to allow them to create incidents). However it seems like they just inherit the itil permissions and are able to see and modify anything a standard itil user can.
Solved! Go to Solution.
- Labels:
-
Incident Management
-
Service Desk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-24-2022 01:28 PM
So I was able to get this working (for multiple groups) with the following:
- Created new role called 'itil_limited'
- Assigned this group the 'itil' role so they can interact with tickets
- Created a Business Rule to run on 'Query' for the 'itil_limited' role, set this as the code:
(function executeRule(current, previous /*null when async*/ ) {
// Add your code here
if (gs.getSession().isInteractive()) {
//Restrict to caller, watchlist, or members of assigned group...
var u = gs.getUserID(); //Get the sys_id value of the current user
var g = getMyGroups(); //Get the list of the current user groups
var q = current.addQuery('caller_id', u).addOrCondition('assignment_group', g).addOrCondition('watch_list', u); //Modify the current query on the incident table
}
})(current, previous);
This allows users in the group to view tickets assigned to other groups if they are the caller, or on the watch list, but restricts their view to only see tickets assigned to a group they are in otherwise.
Thanks for pointing me in the right direction

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-18-2022 11:44 AM
You can do this with on query business rule also.
You can add condition in business rule script to allow groups to see only their assigned incidents.
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-18-2022 11:47 AM
The main issue is I want the initial groups (A,B,C) to continue seeing all incidents, it's just the limited group (D) that I want to only see their own.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-18-2022 12:00 PM
You can write on query business rule like below
(function executeRule(current, previous /*null when async*/ ) {
// Add your code here
if (gs.getUser().isMemberOf('A') || gs.getUser().isMemberOf('B') || gs.getUser().isMemberOf('C'))
current.addEncodedQuery('numberISNOTEMPTY');
else if (gs.getUser().isMemberOf('D'));
current.addEncodedQuery('numberISNOTEMPTY^assignment_group=3b99cd14378d7ac0a5e694c543990ebf'); // add sys_id of D assignment group
})(current, previous);
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-18-2022 12:40 PM
Hmmm this seems like this business rule would have to be modified any time a group is added to the instance.
Are you aware of any way we could do this via ACL? Such as if I made a 'role' called itil_limited or something, and it has the limited permissions as defined. This way I could put the rules in place and the only work to do afterward for adding a group would be to determine if they need the full access (itil role) or the "assigned to only" (itil_limited role)