Read only role for Incident, Problem, Change

snolt · ‎07-08-2013

I need to create a read only role to be utilized by various departments in my company to allow them to view all data in Incident, Problem, and Change. The role has been created and I have added it to the ACL's for Incident with a read operation. As a test, I edited the Incident Application to allow the role the ability see the incident application, however when I impersonate a user with this role and select anything under the incident header, they see no data. There isn't a security error message, it just does not display anything.

I'm still fairly new at ServiceNow admin, but this seemed like it should be rather straight forward. What am I missing?

snolt · ‎07-09-2013

I totally forgot about the business rule. This solved the issue. Thank you!

pchan · ‎09-06-2013

is it possible to create a "read-only" role that doesn't consume an ITIL licese, being that a number of users who may reference processes such as incidents/problem/cmdb/change yet will never be assigned a task, report or approve?

trdaniels · ‎12-19-2013

Hello,

Does anyone have an example of a read only role and ACL's? the goal is to allow auditors or some users to read, print any ticket without being able to alter or change the content of the ticket.

Currently on Dublin

Thanks in advance!

poyntzj · ‎01-05-2015

You can try the following. I have these on our DEV instance for the same thing.

i created a new role called itil_readonly.

you will need to add a new ACL to incident manually.

and add the itil_readonly as a required role.

script to add security ACL roles - i have a new user for this so I can revert by removing all updates by a particular account

The encoded query and the sys_user_role need amending to your values

// 06cd2a636f9539c43e06a4b03f3ee441


// itil_readonly




FIRST


=====


Ensure you have logged on as the Service_IRO account


DO NOT UNDER ANY CIRCUMSTANCES run this with any other account


this is so we can trace and mark the records for easy removal if needed








var created = {};


var acl;




var scrgr = new GlideRecord('sys_security_acl_role')


scrgr.addEncodedQuery('sys_user_role=19da9ba26f1101003e06a4b03f3ee460^sys_security_acl.operation=read') // get roles for itil that are Read only


scrgr.query();


while (scrgr.next())


{


       


       var nscrgr = new GlideRecord('sys_security_acl_role');


       nscrgr.initalize();


       nscrgr.sys_security_acl = scrgr.sys_security_acl;


       nscrgr.sys_user_role = '06cd2a636f9539c43e06a4b03f3ee441';   // set to itil_readonly


       nscrgr.insert();


}

amend the Business Rule - incident Query

if (!gs.hasRole("itil") && !gs.hasRole("itil_readonly") && gs.isInteractive()) {


   var u = gs.getUserID();


   var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


   gs.print("query restricted to user: " + u);


}

script to modify the Application menu's and modules so the itil_readonly role can access the same as the itil role

// 06cd2a636f9539c43e06a4b03f3ee441


// itil_readonly






var gr = new GlideRecord('sys_app_application');


gr.addQuery('roles','CONTAINS','itil');


gr.query();


while (gr.next()) 


{


       gr.roles += ',itil_readonly';


       gr.update();


}


   






var gr = new GlideRecord('sys_app_module');


gr.addQuery('roles','CONTAINS','itil');


gr.query();


while (gr.next()) 


{


       gr.roles += ',itil_readonly';


       gr.update();


}

poyntzj · ‎01-05-2015

One thing that I am seeing in my testing is that a few field are still editable.

Typically the ones where the field is linking to another table (Location, Business Service, etc) so I may have to add an ACL to lock these out.