Locking down access to Catalog Item with ACL

jonny27 · ‎10-29-2020

Hi team

I'm not great with ACLs or scripting but could do with some assistance with locking down a specific catalog item:

I have a catalog item called 'Account Audit Request' and a workflow to have it approved
I have created a group that should have access to it called 'Account Audit Team'

I need these requests to be heavily locked down so even the Service Desk team can't see them (or anyone with the generic ITIL access) and only visible to the 'Account Audit Team' group.

I have two catalog tasks generated as part of the workflow to provide and revoke access, so the assignee of that task will also need access to catalog tasks only and not the RITM, and only when it is assigned to them.

Is this doable, and, if so, how do I implement it?

Many thanks

Ankur Bawiskar · ‎10-29-2020

@jonny27

rather than playing with ACLs; sometimes query Business rule are good options

Sample below

This query BR will only run if logged in user is not member of that Group so that it performs the restriction

1) if logged in user is not member of that Audit group it would hide those RITMs belonging to that catalog item

Condition:

gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')

Script:

(function executeRule(current, previous /*null when async*/) {

    // Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Account Audit Request');

}

})(current, previous);

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Ankur Bawiskar · ‎11-05-2020

Hi,

As mentioned query BR is recommended in such case as compared to ACL.

For ACLs you will have to modify multiple ones

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

jonny27 · ‎11-10-2020

We have an answer! It was as simple as ticking the 'query' box in the BR.

Thank you so much for your help.

I just wanted to add one more thing: how can I include the current viewer if they are the requestor? The scope of the catalog item has now expanded to be available, however I want to make sure that users can only see their own requests and members of the group can see all of them?

Many thanks

Ankur Bawiskar · ‎11-10-2020

@jonny27

Glad to know.

So the script/logic I shared worked well.

Just a miss in the checkbox.

I believe your original question is answered.

Can you please mark my response as correct and helpful and the discussion can still continue.

Updated logic below

Check if that works well

(function executeRule(current, previous /*null when async*/) {

// Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Request E-Discovery/Account Audit^request.requested_for=' + gs.getUserID());

}

})(current, previous);

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

jonny27 · ‎11-11-2020

Hi Ankur

It's kind of worked, however the issue now is that now, anyone outside of those groups can't see any requests that aren't theirs, and not just the specific item.

For example, the Service Desk group should be able to see all RITMs apart from the E-Discovery requests (because they will need to fulfil hardware items, for example).

Does that make sense?

Thanks for your continued assistance.

jonny27 · ‎11-11-2020

I'll just recap the requirements:

Requests for 'Request E-Discovery' item should only be visible to the requestor and the members of the 'Account Audit Team' group.

All other RITMs should be visible as normal to ITIL users.

Here are the current scripts:

Condition:

gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')

Script:

(function executeRule(current, previous /*null when async*/) {

// Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Request E-Discovery/Account Audit^request.requested_for=' + gs.getUserID());

}

})(current, previous);