Locking down access to Catalog Item with ACL

jonny27 · ‎10-29-2020

Hi team

I'm not great with ACLs or scripting but could do with some assistance with locking down a specific catalog item:

I have a catalog item called 'Account Audit Request' and a workflow to have it approved
I have created a group that should have access to it called 'Account Audit Team'

I need these requests to be heavily locked down so even the Service Desk team can't see them (or anyone with the generic ITIL access) and only visible to the 'Account Audit Team' group.

I have two catalog tasks generated as part of the workflow to provide and revoke access, so the assignee of that task will also need access to catalog tasks only and not the RITM, and only when it is assigned to them.

Is this doable, and, if so, how do I implement it?

Many thanks

Ankur Bawiskar · ‎10-29-2020

@jonny27

rather than playing with ACLs; sometimes query Business rule are good options

Sample below

This query BR will only run if logged in user is not member of that Group so that it performs the restriction

1) if logged in user is not member of that Audit group it would hide those RITMs belonging to that catalog item

Condition:

gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')

Script:

(function executeRule(current, previous /*null when async*/) {

    // Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Account Audit Request');

}

})(current, previous);

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

jonny27 · ‎11-15-2020

Hi @Ankur Bawiskar

Just wondering if you'd be able to help with the above, please? Feeling like I'm really close here!

Thank you

Ankur Bawiskar · ‎11-15-2020

Hi,

even after adding this part is it not working

current.addEncodedQuery('cat_item.name!=Request E-Discovery/Account Audit^request.requested_for=' + gs.getUserID());

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

jonny27 · ‎11-16-2020

Hi @Ankur Bawiskar

Yeah - unfortunately, it was restricting access to all catalog items. So members of the Service Desk weren't able to see any open items at all because they are neither the requestor nor in the access group.

Thanks

Ankur Bawiskar · ‎11-16-2020

Hi,

I would suggest to debug the BR by adding info messages

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

jonny27 · ‎11-17-2020

Hi @Ankur Bawiskar

Starting a new line as the other one was getting difficult to read!

I had a developer from my team look at the rule and advised to come up with the following. However there is one line (annotated in line) that is not working.

(function executeRule(current, previous /*null when async*/) {
// Add your code here

var isMember = gs.getUser().isMemberOf('Account Audit Team');

var isOpened = 'request.requested_for' == gs.getUserID(); // FIX THIS

var isAdmin = gs.hasRole('admin'); // || gs.hasRole('ITIL');

if( !isMember && !isOpened && !isAdmin ){
gs.log('Not a member AND opened by AND not admin');

current.addEncodedQuery('cat_item.name!=Request E-Discovery/Email Access^current.requested_for=' + gs.getUserID());
}

})(current, previous);

Despite being logged in as the same person who requested the item, the logs are not showing that value as true and, therefore, not unlocking the visibility of the item in the list view.

I realise I'm asking a lot, but are you able to just check this through for me, please?

Many thanks