Restrict itil users to view Incidents assigned to HR groups

Viraj Sapte
Tera Expert

Hi,

I have a requirement where I need to restrict visibility to itil users, of Incidents assigned to HR groups.

I believe this can be achieved by ACL and Query BR. Can anyone help me with achieve this?

5 REPLIES 5

Astik Thombare
Tera Sage

Hi @Viraj Sapte ,

 

In ServiceNow, restricting visibility of Incidents assigned to HR groups for ITIL users can indeed be achieved using Access Control Lists (ACLs) and Query Business Rules. Here’s a step-by-step guide to accomplish this:

 

Step 1: Create an ACL Navigate to System Security > Access Control (ACL).

 

Create a new ACL:

Table: incident

Type: record

Operation: read

Set the condition to restrict access:

Condition: assigned_to is in HR Groups or assignment_group is in HR Groups.

Set the Script to check user roles:

In the Advanced tab, use a script to ensure ITIL users are restricted:

 

 

 

// Get the assignment group of the incident

var assignmentGroup = current.assignment_group;



// Check if the user is an ITIL user and the assignment group is HR

if (gs.hasRole('itil') && assignmentGroup.name == 'HR') {

    answer = false;

} else {

    answer = true;

}

 

 

 

Step 2: Create a Query Business Rule

Navigate to System Definition > Business Rules.

Create a new Business Rule:

Name: Restrict ITIL Visibility to HR Incidents

Table: incident

Advanced: true

When: before

queryCondition:current.assignment_group is HR Groups.

Script:Use the following script to filter out incidents for ITIL users:

 

 

 

if (gs.hasRole('itil')) {

    // Add a query to restrict incidents assigned to HR groups

    var hrGroups = ['HR Group 1', 'HR Group 2']; // replace with actual HR group names

    current.addQuery('assignment_group', 'NOT IN', hrGroups);

}

 

 

 

If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

 

Astik

 

 

 

Astik Thombare
Tera Sage

Hi  @Viraj Sapte ,
 
Please Ignore my previous reply .
 
We can do it in both way . Using Before query Business rule and also using ACL 
 
Here is example how to achieve it with Using Before Query Business Rule

 

Create Before Business Rule -

 

Name :  Restrict ITIL Visibility to HR Incident

When : Before Query 

AstikThombare_0-1717917509095.png

 

Script -

 

 

 

(function executeRule(current, previous /*null when async*/ ) {

    if (gs.hasRole('itil')) {

        current.addEncodedQuery('assignment_group.name!=HR');// include any group as per your requirement    


})(current, previous);

 

 

 

I checked it in my PDI and it is working fine 

 

             If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

Astik

 

 

Hi @Astik Thombare,

Thank you for your inputs. I was trying to achieve it by assigning type as 'human_resource' to the groups as there will be multiple groups. Could you please help me with this?

VirajSapte_0-1717932013472.png

 



HI @Viraj Sapte ,

 

Please update the code in before BR as below - 

 

 

(function executeRule(current, previous /*null when async*/) {
    // Initialize a GlideRecord object for the 'sys_user_group_type' table
    var groupTypeGr = new GlideRecord('sys_user_group_type');
    
    // Add a query to find the group type with the name 'human_resources'
    groupTypeGr.addQuery('name', 'human_resources');
    groupTypeGr.query();
 
    // Check if the query returns any records
    if (groupTypeGr.next()) {
        // Get the sys_id of the 'human_resources' group type
        var humanResourcesTypeSysId = groupTypeGr.sys_id.toString();
        
        // Check if the current user has the 'itil' role
        if (gs.hasRole('itil')) {
            // Initialize a GlideRecord object for the 'sys_user_group' table
            var groupGr = new GlideRecord('sys_user_group');
            
            // Add a query to find groups with the type 'human_resources'
            groupGr.addQuery('type', 'CONTAINS', humanResourcesTypeSysId);
            groupGr.query();
 
            // Collect the sys_ids of these groups
            var groupIds = [];
            while (groupGr.next()) {
                groupIds.push(groupGr.sys_id.toString());
            }
            
            // If there are any groups of type 'human_resources'
            if (groupIds.length > 0) {
                // Add a query to exclude incidents assigned to these groups
                current.addQuery('assignment_group', 'NOT IN', groupIds);
            }
        }
    }
})(current, previous);

 

 

 

I have tested it in PDI and it is working as expected 

 

      If my reply helped with your issue please mark helpful 👍 and correct ✔️ if your issue is resolved.

 

                         By doing so you help other community members find resolved questions which may relate to an issue they're having

 

 

Thanks,

 

Astik