Locking down access to Catalog Item with ACL

Go to solution
jonny27
Giga Contributor

‎10-29-2020 09:19 PM

Hi team

I'm not great with ACLs or scripting but could do with some assistance with locking down a specific catalog item:

  • I have a catalog item called 'Account Audit Request' and a workflow to have it approved
  • I have created a group that should have access to it called 'Account Audit Team'

I need these requests to be heavily locked down so even the Service Desk team can't see them (or anyone with the generic ITIL access) and only visible to the 'Account Audit Team' group. 

I have two catalog tasks generated as part of the workflow to provide and revoke access, so the assignee of that task will also need access to catalog tasks only and not the RITM, and only when it is assigned to them.

 

Is this doable, and, if so, how do I implement it?

 

Many thanks

0 Helpfuls
  • 2,519 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to jonny27

‎10-29-2020 09:58 PM

@jonny27 

rather than playing with ACLs; sometimes query Business rule are good options

Sample below

This query BR will only run if logged in user is not member of that Group so that it performs the restriction

1) if logged in user is not member of that Audit group it would hide those RITMs belonging to that catalog item

Condition:

gs.isInteractive() && !gs.getUser().isMemberOf('Account Audit Team') && !gs.hasRole('admin')

Script:

(function executeRule(current, previous /*null when async*/) {

    // Add your code here

if(!gs.getUser().isMemberOf('Account Audit Team')){

current.addEncodedQuery('cat_item.name!=Account Audit Request');

}

})(current, previous);

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

View solution in original post

0 Helpfuls
26 REPLIES 26

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to jonny27

‎11-17-2020 10:59 PM

Hi,

you cannot access data using current.field in query business rule so this won't work

current.request.requested_for

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
jonny27
Giga Contributor
In response to Ankur Bawiskar

‎11-18-2020 12:08 AM

Thank you Ankur. Where should I put the log on the script you provided?

The issue with the script you provided is that it blocks off all requested items to the Service Desk.

I need ITIL users to see all requests apart from the Request E-Discovery/Email Access item unless they are admin or part of the Account Admin Team group. But I also need non-ITIL staff to be able to see their own requests for Request E-Discovery/Email Access on the Service Portal. 

 

0 Helpfuls