Regarding the ACL for reading restricted records

Gintarelissss98
Tera Contributor

‎02-29-2024 01:28 AM

I have a requirement to restrict access to a certain type of problem and allow only specific groups to read them, table: problem, type: read. Therefore, I need an ACL on the Problem table with a script. However, this should apply to all created roles as only members of these groups should have the ability to see these records. Currently, it only works if a user has the 'itil' role. For example, a user with the 'sn_problem_read' role can see everything, even if they are not a member of that group.

How can I solve this issue? Do I need to add all roles that have read access to problems to the newly created ACL? I tried doing that, but it didn't work. Users with other roles can still see everything.

0 Helpfuls
  • 378 Views
2 REPLIES 2

Dr Atul G- LNG
Tera Patron
Tera Patron

‎02-29-2024 06:16 AM

Hi @Gintarelissss98 

 

Share code please to chekc.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************
0 Helpfuls

Gintarelissss98
Tera Contributor
In response to Dr Atul G- LNG

‎02-29-2024 10:49 AM

Hello, this is my script include that I call in the ACL table 'problem' with the operation 'read'. It works perfectly if the user has the ITIL role, is added to the support group, or removed from it. However, if the user is assigned to the 'sn_problem_read' role or any other role, regardless of their role, they can see all the records.

 

var checkIfRelatedToIncident = Class.create();

checkIfRelatedToIncident.prototype = {
    initialize: function() {},

    checkSecurityProblem: function(current) {
        var flag = false;
        var securityMember = false;
        var prob = current.sys_id;

        if (gs.getUser().isMemberOf(gs.getProperty('group.it.sec')) || gs.getUser().isMemberOf(gs.getProperty('group.help.desk'))) {
            securityMember = true;
        }

        var incidentGR = new GlideRecord('incident');
        incidentGR.addQuery('problem_id', prob);
        incidentGR.addQuery('u_security_incident', true);
        incidentGR.setLimit(1);
        incidentGR.query();

        if (incidentGR.hasNext()) {
            if (securityMember) {
                flag = true;
            } else {
                flag = false;
            }
        } else {
            flag = true;
        }

    return flag;
    },

    type: 'checkIfRelatedToIncident'
};
0 Helpfuls