- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2020 09:19 PM
Hi team
I'm not great with ACLs or scripting but could do with some assistance with locking down a specific catalog item:
- I have a catalog item called 'Account Audit Request' and a workflow to have it approved
- I have created a group that should have access to it called 'Account Audit Team'
I need these requests to be heavily locked down so even the Service Desk team can't see them (or anyone with the generic ITIL access) and only visible to the 'Account Audit Team' group.
I have two catalog tasks generated as part of the workflow to provide and revoke access, so the assignee of that task will also need access to catalog tasks only and not the RITM, and only when it is assigned to them.
Is this doable, and, if so, how do I implement it?
Many thanks
Solved! Go to Solution.
- Labels:
-
Request Management
-
Service Catalog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2020 09:58 PM
rather than playing with ACLs; sometimes query Business rule are good options
Sample below
This query BR will only run if logged in user is not member of that Group so that it performs the restriction
1) if logged in user is not member of that Audit group it would hide those RITMs belonging to that catalog item
Condition:
gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')
Script:
(function executeRule(current, previous /*null when async*/) {
// Add your code here
if(!gs.getUser().isMemberOf('Account Audit Team')){
current.addEncodedQuery('cat_item.name!=Account Audit Request');
}
})(current, previous);
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2020 10:39 PM
I guess there are a few things to test here:
- Member of the group but not a 'normal' IT user i.e. has ITIL role): Cannot see the active requests
- 'Normal IT' user with ITIL role: Can see the requests
- Admin user: Can see the requests
I need rules 1 and 2 swapped so normal ITIL users cannot see the requests, but members of the security group can, please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2020 11:06 PM
try adding logs to the BR to confirm
BR script and condition looks fine
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-29-2020 11:56 PM
Thank you - I've done it but doesn't really make much sense to me, I'm afraid.
Would it to you?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-31-2020 10:30 PM
Any update on further debugging?
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-05-2020 12:55 AM
Still struggling on with this, Ankur. I'll try and fathom out what's happening.
Would you be able to suggest how I could add an ACL instead of a BR?