Limiting ITIL access to only Incidents assinged to their group

Kyle Desjardins · ‎03-18-2022

Hi there, we have a need to add some more groups to our ServiceNow instance.

Essentially what I'm looking for is the following:

Current groups (A, B, C) should have full itil access to see Assets, Incidents, Request Items, etc. The new group (D) should only have access to the Incident table, and should only be able to see the incidents assigned to their own group.

I tried creating a new role to do this, and gave that role read/write access to only the incidents that are in their assignment group (as well as an ACL to allow them to create incidents). However it seems like they just inherit the itil permissions and are able to see and modify anything a standard itil user can.

Kyle Desjardins · ‎03-24-2022

So I was able to get this working (for multiple groups) with the following:

- Created new role called 'itil_limited'

- Assigned this group the 'itil' role so they can interact with tickets

- Created a Business Rule to run on 'Query' for the 'itil_limited' role, set this as the code:

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here
if (gs.getSession().isInteractive()) {          
   //Restrict to caller, watchlist, or members of assigned group...
   var u = gs.getUserID(); //Get the sys_id value of the current user
   var g = getMyGroups(); //Get the list of the current user groups
   var q = current.addQuery('caller_id', u).addOrCondition('assignment_group', g).addOrCondition('watch_list', u); //Modify the current query on the incident table
}
})(current, previous);

This allows users in the group to view tickets assigned to other groups if they are the caller, or on the watch list, but restricts their view to only see tickets assigned to a group they are in otherwise.

Thanks for pointing me in the right direction @sachin.namjoshi !

View solution in original post

sachin_namjoshi · ‎03-18-2022

Yes, ACL is also possible.

But, ACL restrictions gives a nasty error message to users.

Hence, i suggested on query BR.

Regards,

Sachin

Kyle Desjardins · ‎03-22-2022

Interesting. I'll test out the BR in my dev instance and mark as correct if it works as intended 🙂

Kyle Desjardins · ‎03-22-2022

So I was able to limit only the group I wanted while maintaining full visibility to the "core groups" with this BR:

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here
	var user = gs.getUserID();
    if (gs.getUser().isMemberOf('ServiceNow_CRMSupport'));
		current.addEncodedQuery('numberISNOTEMPTY^assignment_group=7b7f4f711bd60d101bbe97d58d4bcb33');


})(current, previous);

The only issue I'm currently facing, is if they were to have a ticket in their queue, and re-assign to another group, they lose visibility on that ticket (as well as any ticket they are the 'caller' of, or on the 'watch_list' for).

Is there an else statement or a different business rule I could create that overrides this one to allow them to see tickets they've moved to another queue (or are the 'caller' or 'watch_list')

sachin_namjoshi · ‎03-22-2022

You can add these conditions of caller or watch list in your existing business rule like below

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here
	var user = gs.getUserID();
    if (gs.getUser().isMemberOf('ServiceNow_CRMSupport'));
		current.addEncodedQuery('numberISNOTEMPTY^assignment_group=7b7f4f711bd60d101bbe97d58d4bcb33');
  
  else if ('caller_id=' + gs.getUserID() + '^ORwatch_listLIKE' + gs.getUserID())
    
    current.addEncodedQuery('numberISNOTEMPTY')


})(current, previous);