Locking down access to Catalog Item with ACL

jonny27
Giga Contributor

Hi team

I'm not great with ACLs or scripting but could do with some assistance with locking down a specific catalog item:

  • I have a catalog item called 'Account Audit Request' and a workflow to have it approved
  • I have created a group that should have access to it called 'Account Audit Team'

I need these requests to be heavily locked down so even the Service Desk team can't see them (or anyone with the generic ITIL access) and only visible to the 'Account Audit Team' group. 

I have two catalog tasks generated as part of the workflow to provide and revoke access, so the assignee of that task will also need access to catalog tasks only and not the RITM, and only when it is assigned to them.

 

Is this doable, and, if so, how do I implement it?

 

Many thanks

1 ACCEPTED SOLUTION

@jonny27 

rather than playing with ACLs; sometimes query Business rule are good options

Sample below

This query BR will only run if logged in user is not member of that Group so that it performs the restriction

1) if logged in user is not member of that Audit group it would hide those RITMs belonging to that catalog item

Condition:

gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')

Script:

(function executeRule(current, previous /*null when async*/) {

    // Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Account Audit Request');

}

})(current, previous);

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

View solution in original post

26 REPLIES 26

Ankur Bawiskar
Tera Patron
Tera Patron

Hi,

Do you require to restrict the submission of that catalog item only to that Group?

If yes then you can use User Criteria to restrict that catalog item and only that group can see the catalog item on portal and submit it

Regarding the RITM table visibility you can either use Table level READ ACLs or query Business rule as per your requirement

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Hi Ankur

I need for no one to be able to see the catalog item, which I can sort through the user criteria on the catalog item.

But I also need for no one to be able to see the in progress requests as well apart from a specific user group. Only the people in the group should be able to see them as they're highly confidential. I think this would be handled through ACLs?

Thanks

Hi,

for this you can use query Business rule on sc_req_item table

So that

1) if logged in user is not member of that group then hide those RITMs

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Oh wow! I hadn't thought of that. So they wouldn't be able to see them if they searched for the RITM either?

Much easier than writing ACLs (which I hate!)

I'll give it a go!