Read only role for Incident, Problem, Change

snolt · ‎07-08-2013

I need to create a read only role to be utilized by various departments in my company to allow them to view all data in Incident, Problem, and Change. The role has been created and I have added it to the ACL's for Incident with a read operation. As a test, I edited the Incident Application to allow the role the ability see the incident application, however when I impersonate a user with this role and select anything under the incident header, they see no data. There isn't a security error message, it just does not display anything.

I'm still fairly new at ServiceNow admin, but this seemed like it should be rather straight forward. What am I missing?

poyntzj · ‎01-05-2015

To sort out the fields that were still not RO, I had to add this ACL

and on a couple of other fields I had to make changes as we had a specific ACL setting on them

tahnalos · ‎07-10-2017

The above ACL appears to be a blunt force approach given that some groups may include the itil_readonly role in their permissions. If a person has multiple groups with higher roles, then this breaks their access, especially if they have write access allowed.

I was under the impression that if a user fails write rules, then the entire record is deemed off limits even if the individual fields win access, the correct way to do partial access is to give the user permissions for the record, then restrict the fields as necessary. As I am finding out in the implementation I am working on, it is doing the reverse, that is, barring access to the record, but giving access to one field.

I am also unable to find the write ACL that is giving some of my fields access, is there any additional ways (other than debug) to find out what rule is causing permissions access issues?

sharonjanisch · ‎08-18-2022

We are on SanDiego and have a similar request. They want to create a dashboard to display a group's open tickets in read only mode where it does not use up one of our ITIL roles. It's just going to be used on a monitor in the group's workroom so they can keep an eye on the requests for that day without being at their computers. Can you use this incident query business rule and take out the !gs.hasRole("itil") condition to create rule that will accomplish the requirements here? Is it possible to create a "read-only" role that doesn't consume an ITIL license?