Limiting ITIL access to only Incidents assinged to their group

Kyle Desjardins · ‎03-18-2022

Hi there, we have a need to add some more groups to our ServiceNow instance.

Essentially what I'm looking for is the following:

Current groups (A, B, C) should have full itil access to see Assets, Incidents, Request Items, etc. The new group (D) should only have access to the Incident table, and should only be able to see the incidents assigned to their own group.

I tried creating a new role to do this, and gave that role read/write access to only the incidents that are in their assignment group (as well as an ACL to allow them to create incidents). However it seems like they just inherit the itil permissions and are able to see and modify anything a standard itil user can.

Kyle Desjardins · ‎03-24-2022

So I was able to get this working (for multiple groups) with the following:

- Created new role called 'itil_limited'

- Assigned this group the 'itil' role so they can interact with tickets

- Created a Business Rule to run on 'Query' for the 'itil_limited' role, set this as the code:

(function executeRule(current, previous /*null when async*/ ) {

    // Add your code here
if (gs.getSession().isInteractive()) {          
   //Restrict to caller, watchlist, or members of assigned group...
   var u = gs.getUserID(); //Get the sys_id value of the current user
   var g = getMyGroups(); //Get the list of the current user groups
   var q = current.addQuery('caller_id', u).addOrCondition('assignment_group', g).addOrCondition('watch_list', u); //Modify the current query on the incident table
}
})(current, previous);

This allows users in the group to view tickets assigned to other groups if they are the caller, or on the watch list, but restricts their view to only see tickets assigned to a group they are in otherwise.

Thanks for pointing me in the right direction @sachin.namjoshi !

View solution in original post

Kyle Desjardins · ‎03-24-2022

To note: for whatever reason users with the 'admin' role act as if they have all roles simultaneously so this rule affects them as well, so anyone else wanting to replicate this would want to put this line into the "Conditions" field

!gs.hasRole('admin')

QX · ‎11-18-2022

I am running into a same issue and I tried the code you provided but cant get it to work. Not sure what I am doing wrong. I am just doing it for the itil role altogether. Basically I want ITIL users to only be able to access incidents assigned to the groups they are a member of, or are the caller/watchlisted.

jabest13 · ‎11-28-2022

When I use this business rule it prevents all ITIL users from seeing other groups' incidents. Thus it is not only affecting itil_limited, but also itil roles.