Restrict itil users to view Incidents assigned to HR groups

Viraj Sapte
Tera Expert

‎06-08-2024 10:01 PM

Hi,

I have a requirement where I need to restrict visibility to itil users, of Incidents assigned to HR groups.

I believe this can be achieved by ACL and Query BR. Can anyone help me with achieve this?

0 Helpfuls
  • 748 Views
5 REPLIES 5

Astik Thombare
Tera Sage

‎06-08-2024 10:48 PM

Hi @Viraj Sapte ,

 

In ServiceNow, restricting visibility of Incidents assigned to HR groups for ITIL users can indeed be achieved using Access Control Lists (ACLs) and Query Business Rules. Here’s a step-by-step guide to accomplish this:

 

Step 1: Create an ACL Navigate to System Security > Access Control (ACL).

 

Create a new ACL:

Table: incident

Type: record

Operation: read

Set the condition to restrict access:

Condition: assigned_to is in HR Groups or assignment_group is in HR Groups.

Set the Script to check user roles:

In the Advanced tab, use a script to ensure ITIL users are restricted:

 

 

 

// Get the assignment group of the incident

var assignmentGroup = current.assignment_group;



// Check if the user is an ITIL user and the assignment group is HR

if (gs.hasRole('itil') && assignmentGroup.name == 'HR') {

    answer = false;

} else {

    answer = true;

}

 

 

 

Step 2: Create a Query Business Rule

Navigate to System Definition > Business Rules.

Create a new Business Rule:

Name: Restrict ITIL Visibility to HR Incidents

Table: incident

Advanced: true

When: before

queryCondition:current.assignment_group is HR Groups.

Script:Use the following script to filter out incidents for ITIL users:

 

 

 

if (gs.hasRole('itil')) {

    // Add a query to restrict incidents assigned to HR groups

    var hrGroups = ['HR Group 1', 'HR Group 2']; // replace with actual HR group names

    current.addQuery('assignment_group', 'NOT IN', hrGroups);

}

 

 

 

If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

 

Astik

 

 

 

Astik Thombare
Tera Sage

‎06-09-2024 12:21 AM

Hi  @Viraj Sapte ,
 
Please Ignore my previous reply .
 
We can do it in both way . Using Before query Business rule and also using ACL 
 
Here is example how to achieve it with Using Before Query Business Rule

 

Create Before Business Rule -

 

Name :  Restrict ITIL Visibility to HR Incident

When : Before Query 

AstikThombare_0-1717917509095.png

 

Script -

 

 

 

(function executeRule(current, previous /*null when async*/ ) {

    if (gs.hasRole('itil')) {

        current.addEncodedQuery('assignment_group.name!=HR');// include any group as per your requirement    


})(current, previous);

 

 

 

I checked it in my PDI and it is working fine 

 

             If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

Astik

 

 

Viraj Sapte
Tera Expert
In response to Astik Thombare

‎06-09-2024 04:21 AM

Hi @Astik Thombare,

Thank you for your inputs. I was trying to achieve it by assigning type as 'human_resource' to the groups as there will be multiple groups. Could you please help me with this?

VirajSapte_0-1717932013472.png

 



0 Helpfuls

Astik Thombare
Tera Sage
In response to Viraj Sapte

‎06-09-2024 06:28 AM

HI @Viraj Sapte ,

 

Please update the code in before BR as below - 

 

 

(function executeRule(current, previous /*null when async*/) {
    // Initialize a GlideRecord object for the 'sys_user_group_type' table
    var groupTypeGr = new GlideRecord('sys_user_group_type');
    
    // Add a query to find the group type with the name 'human_resources'
    groupTypeGr.addQuery('name', 'human_resources');
    groupTypeGr.query();
 
    // Check if the query returns any records
    if (groupTypeGr.next()) {
        // Get the sys_id of the 'human_resources' group type
        var humanResourcesTypeSysId = groupTypeGr.sys_id.toString();
        
        // Check if the current user has the 'itil' role
        if (gs.hasRole('itil')) {
            // Initialize a GlideRecord object for the 'sys_user_group' table
            var groupGr = new GlideRecord('sys_user_group');
            
            // Add a query to find groups with the type 'human_resources'
            groupGr.addQuery('type', 'CONTAINS', humanResourcesTypeSysId);
            groupGr.query();
 
            // Collect the sys_ids of these groups
            var groupIds = [];
            while (groupGr.next()) {
                groupIds.push(groupGr.sys_id.toString());
            }
            
            // If there are any groups of type 'human_resources'
            if (groupIds.length > 0) {
                // Add a query to exclude incidents assigned to these groups
                current.addQuery('assignment_group', 'NOT IN', groupIds);
            }
        }
    }
})(current, previous);

 

 

 

I have tested it in PDI and it is working as expected 

 

      If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

 

Astik