Restrict access to users based on company

LG2 · ‎06-10-2015

We have a requirement to restrict users from "Company123" from viewing "everyone else's" incidents, so they will only be able to see records if the caller or the opened by fields is someone from their company, OR if it is assigned to one of the "company123" assignment groups. (everyone else will see "everything")

We have tried to adapt the before business rule in http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-qu...

but this has not worked.

here is the script we are using:

if (gs.getUser().getCompanyID()=='sysid of Company123 in here') {

var u = gs.getUserID();

var q = current.addQuery("caller_id", u);

q.addOrCondition("opened_by", u);

current.addOrCondition('assignment_group.name', "CONTAINS", "Company123");

gs.addInfoMessage("The records are restricted to the current logged in User");

}

after much brain ache we are stuck...

please can anyone suggest where we are going wrong?

many thanks

Michael Ritchie · ‎06-10-2015

Out of the box there is a company field throughout the platform including on task, user and locations. When you create an incident for a user the company from the sys_user record is populated in the incident. I would recommend using this approach for your record separation utilizing these out of the box capabilities:

if(gs.getUser().getCompanyID()=='sysid of Company123 in here' && gs.getSession().isInteractive()){


       var u = gs.getUserID();


       var qc = current.addQuery('opened_by', u);


       qc.addOrCondition('caller_id', u);


       qc.addOrCondition('company', 'sysid of Company123 in here');


}

There isn't a company field on the sys_user_group table, but you could add one if you also need to factor incident assignment into the visibility of these tickets.

View solution in original post

tejumes · ‎02-06-2016

Hi Berny,

I have a concern towards this. Can you help me on this?

The code below which you suggested works fine.

if (gs.getUser().getCompanyID()=='sysid of Company123 in here') {
var u = gs.getUserID();
var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition('assignment_group.name', "CONTAINS", "Company123");
gs.print("query restricted to user: " + u);
}

Suppose if we are working on a Incident Task which is related an Incident. To my view above query returns for the user of that assignment group will able to see their own opened by records, caller to be their ID and assignment group which they belong , these are records will be queried and shown to them . NOW when an Incident task is created for their group with their assignment group by some other assignment group person. Now the assignee of this company123 user wants to see the parent record ( from their task is assigned to them) how can we approach this?

Michael Ritchie · ‎06-10-2015

Out of the box there is a company field throughout the platform including on task, user and locations. When you create an incident for a user the company from the sys_user record is populated in the incident. I would recommend using this approach for your record separation utilizing these out of the box capabilities:

if(gs.getUser().getCompanyID()=='sysid of Company123 in here' && gs.getSession().isInteractive()){


       var u = gs.getUserID();


       var qc = current.addQuery('opened_by', u);


       qc.addOrCondition('caller_id', u);


       qc.addOrCondition('company', 'sysid of Company123 in here');


}

There isn't a company field on the sys_user_group table, but you could add one if you also need to factor incident assignment into the visibility of these tickets.

LG2 · ‎06-11-2015

Thank you Michael - we went with your suggestion in the end and it has worked perfectly... many thanks - happy bunnies all round 🙂