Restrict access for some itil users to only incidents where they are member of assignment group.

dressman
Kilo Expert

I would like to have a role called 3rdparty where if a user has this role they are restricted to tickets where they are the assignment group. Since they will be handling tickets they will need the itil role so we are in compliance with the license contract. I was hoping I could accomplish this through access controls.

Part of this is discussed here but the resolution is not mentioned.
http://community.service-now.com/node/1000637?page=1

4 REPLIES 4

Mark Stanger
Giga Sage

You should be able to accomplish this by modifying the 'incident query' business rule. Out of box, it restricts the view of incident tickets for non-itil users to those where they are the Caller. You could modify it to do a check for users who had 3rd party role and then only allow them to see tickets where they were a member of the assignment group.

Here's an article explaining before query business rules and how you could make the modification.

http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-query-business-rules/


Mark, thanks for your help. I am posting the solution for everyone. I ended up created a 3rdparty role and gave all those people the itil role so we're right with the world on licensing. Then I created 2 new business rules:

Name:3rd party restrict incidents
table:incident
when:before
if (gs.hasRole("3rdparty") && !gs.hasRole("admin") && gs.getSession().isInteractive()) {
var u = gs.getUserID();
var q = current.addQuery("assignment_group", gs.getUser().getMyGroups());
q.addOrCondition("caller_id", u);
q.addOrCondition("opened_by", u);
}

Name:3rd party restrict applications
table:sys_app_application
when:before
if(gs.hasRole("3rdparty") && !gs.hasRole("admin") && gs.getSession().isInteractive()) {
var q = current.addQuery("sys_id", "******sys_id*******");//incident_management
q.addOrCondition("sys_id", "******sys_id*******");//self service
//q.addOrCondition("sys_id", "******sys_id*******");//reports
}


dressman
Kilo Expert

Mark, I was told that was a big no no. I saw your blog entry on this. Does Service-Now allow instance admins to update this Business Service?


I'm not sure who told you that, but It's not a big no-no. If you can avoid updating out-of-box records you should, but there are many cases where it isn't possible. This is one of those cases where you need to update an out-of-box business rule to get the setup you need to have.