Limiting ITIL access to only Incidents assinged to their group

Kyle Desjardins · ‎03-18-2022

Hi there, we have a need to add some more groups to our ServiceNow instance.

Essentially what I'm looking for is the following:

Current groups (A, B, C) should have full itil access to see Assets, Incidents, Request Items, etc. The new group (D) should only have access to the Incident table, and should only be able to see the incidents assigned to their own group.

I tried creating a new role to do this, and gave that role read/write access to only the incidents that are in their assignment group (as well as an ACL to allow them to create incidents). However it seems like they just inherit the itil permissions and are able to see and modify anything a standard itil user can.

Kyle Desjardins · ‎03-24-2022

So I was able to get this working (for multiple groups) with the following:

- Created new role called 'itil_limited'

- Assigned this group the 'itil' role so they can interact with tickets

- Created a Business Rule to run on 'Query' for the 'itil_limited' role, set this as the code:

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here
if (gs.getSession().isInteractive()) {          
   //Restrict to caller, watchlist, or members of assigned group...
   var u = gs.getUserID(); //Get the sys_id value of the current user
   var g = getMyGroups(); //Get the list of the current user groups
   var q = current.addQuery('caller_id', u).addOrCondition('assignment_group', g).addOrCondition('watch_list', u); //Modify the current query on the incident table
}
})(current, previous);

This allows users in the group to view tickets assigned to other groups if they are the caller, or on the watch list, but restricts their view to only see tickets assigned to a group they are in otherwise.

Thanks for pointing me in the right direction @sachin.namjoshi !

View solution in original post

sachin_namjoshi · ‎03-18-2022

You can do this with on query business rule also.

You can add condition in business rule script to allow groups to see only their assigned incidents.

Regards,

Sachin

Kyle Desjardins · ‎03-18-2022

The main issue is I want the initial groups (A,B,C) to continue seeing all incidents, it's just the limited group (D) that I want to only see their own.

sachin_namjoshi · ‎03-18-2022

You can write on query business rule like below

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here

    if (gs.getUser().isMemberOf('A') || gs.getUser().isMemberOf('B') || gs.getUser().isMemberOf('C'))
        current.addEncodedQuery('numberISNOTEMPTY');
    else if (gs.getUser().isMemberOf('D'));
		current.addEncodedQuery('numberISNOTEMPTY^assignment_group=3b99cd14378d7ac0a5e694c543990ebf'); // add sys_id of D assignment group

})(current, previous);

Regards,

Sachin

Kyle Desjardins · ‎03-18-2022

Hmmm this seems like this business rule would have to be modified any time a group is added to the instance.

Are you aware of any way we could do this via ACL? Such as if I made a 'role' called itil_limited or something, and it has the limited permissions as defined. This way I could put the rules in place and the only work to do afterward for adding a group would be to determine if they need the full access (itil role) or the "assigned to only" (itil_limited role)