Restrict creating incidents using incident.do

JanRaphaelC · 3 weeks ago

Do you guys know what is the best way to prevent users from creating an incident using incident.do? We want to encourage users to use the Service Portal so that an Interaction record gets created first before an incident.

Chaitanya ILCR · 3 weeks ago

Hi @JanRaphaelC ,

create an onLoad client script on the incident table like this

and navigate them to the portal (I have used sp you can replace sp with your desired portal)

this way if the record is a newRecord they will be routed to the portal

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

View solution in original post

kalanidhikr · 3 weeks ago

Hello @JanRaphaelC

To restrict incident creation in ServiceNow, particularly via the incident.do URL or form, create a Before - Insert Business Rule on the [incident] table with the script current.setAbortAction(true);. This prevents users from saving new records, effectively restricting access to the form's submission capability while allowing viewing of existing records.

Here are the specific methods to restrict incident creation:

Method 1: Business Rule (Recommended)

This prevents any new incident from being saved, regardless of how it was initiated.

Navigate to System Definition > Business Rules.
Click New.
Name the rule (e.g., "Restrict Incident Creation").
Set Table to Incident [incident].
Check the Advanced checkbox.
Under the When to run tab, set When to before and check Insert.

In the Advanced tab, use the following script to abort the action:

javascript

(function executeRule(current, previous /*null when async*/) {
    // Prevent new incident creation    gs.addErrorMessage("Creating new incidents is currently restricted.");
    current.setAbortAction(true);
})(current, previous);

Click Submit.

Method 2: Access Control Lists (ACLs)

This method controls create access based on roles or user criteria.

Navigate to System Security > Access Control (ACL).
Click New.
Set Type to record, Operation to create, and Name to incident.
In the Roles list, ensure only authorized roles (e.g., itil_admin) are listed. If the list is empty, it may default to restrictive settings based on sn_incident_write.
Save the record.

Important Considerations

Impact: This restriction prevents anyone without exception from creating incidents via the UI.
Alternatives: If you only want to restrict specific users, add conditions to the Business Rule script, such as checking for specific user roles (gs.getUser().hasRole('itil')).
URL Access: This approach stops the saving of a new incident, though it does not technically stop the incident.do page from loading, only from submitting data.

If my response helped mark as helpful and accept the solution.

Tanushree Maiti · 3 weeks ago

Restricting incident creation via incident.do in ServiceNow is best achieved using

ACLs (Access Control Lists) for granular control :

ACL (Record-Level): Create a new create operation ACL on the incident table. Use a script to return false if the user lacks the necessary role or group membership.

OR

Before-Insert Business Rules to prevent saving, typically based on user roles or group membership. For example, a before business rule can check if a user is not in a specific group and prevent saving.

Before Insert Business Rule: Create a Business Rule on the incident table (When: before, Insert: true). Use scripting to check gs.getUser().isMemberOf('<group_sys_id>') .

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Ankur Bawiskar · 3 weeks ago

@Tanushree Maiti

Could you share screenshots on how this can be achieved using ACL or Business rule?

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Tejas Adhalrao · 3 weeks ago

Hi @JanRaphaelC ,

The best way to prevent users from creating incidents via incident.do is to remove create access on the Incident table using ACLs. This blocks direct URL access while still allowing incident creation through the Service Portal,

Remove create access on Incident table for end users

Keep create access only for:

Service Desk
System users
Portal backend logic

End users cannot create via incident.do
✔ can still create via Service Portal (because portal uses server logic)