Restrict row level access based on group membership AND task type
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-16-2013 09:40 AM
I just got off the phone with the our Director of Information Security and he wants to get his team into and using Servicenow . . . which is a good thing.
The problem I'm having is that he is requiring that his team have a ticket "type" that only they can view.
I can write the ACL to restrict access at the row level based on group but when the restriction is based on group but only when the ticket is of a specific type . . . I'm not sure.
Can you think of a better approach to providing the desired security? Or can you provide an example of an ACL that would be able to look at a field value AND group membership?
Any help would be really helpful!
Thank you,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-16-2013 01:14 PM
I try to avoid row level read rules whenever possible since there are ugly side-effects (like hidden row counts in list view). The preferred method would be to try and build the filter logic in a query business rule. You can view the "incident query" business rule as an example. This is also more efficient than ACLs since it's controlling the database query directly, where ACLs are evaluated post query.
There aren't enough details to give you a sample script but it seems like it would do the trick. Just handle the group membership cases and based on that set a query condition to show or hide records of a certain type.
