Restrict Standard change templates under preapproved tab of change models for a particular group

pradnyajamgaonk · 3 weeks ago

Hi All,

We have a requirement to restrict access for a particular group to preapproved standard change templates in change models.

I have tried 'Available for' related list approach but it's not working as expected.

Can you please suggest feasibility to achieve this with Business rule/Client script to hide at front end.

Scripts suggestions would be helpful.

Thanks.

Regards,

Pradnya

Vishal Jaswal · 3 weeks ago

Hello @pradnyajamgaonk

I doubt that this is even possible via User Criteria or possible at all. I believe all models whose "Available in 'Create New'" is set to true will always display when click Create New under Change Request.

Please verify the same with ServiceNow via HI Case.

If ServiceNow says it is possible then please do share here - else, you need to create a script include to check the logged in user's group membership and then write client script to make all change requests fields read only and hide save and submit button and display alert message for restricted users something like below:

Script Include:

var grpSysID = gs.getProperty('group.abc'); //sys_id = 2073c524935c4b503161f24cdd03d681

var CheckuserGroup = Class.create();
CheckuserGroup.prototype = Object.extendsObject(AbstractAjaxProcessor, {
    getgroup: function() {
        var usersysid = this.getParameter('sysparm_name_sysid');//getting usersysid from client
        var grMem = new GlideRecord("sys_user_grmember");
        grMem.addQuery('user', usersysid); 
        grMem.addQuery('group', grpSysID);		
        grMem.query();
        if (grMem.next()) {
            return true;
        } else {
            return false;
        }
    },
    type: 'CheckuserGroup'
});

Client Script (DOM Manipulation) with Isolate Script unchecked as below:

function onLoad() {

    var sysid = g_user.userID; //get current user sysid
    var ga = new GlideAjax('global.CheckuserGroup'); //script include name
    ga.addParam('sysparm_name', 'getgroup'); //function name
    ga.addParam('sysparm_name_sysid', sysid); //passing logged in user's sysid to script include
    ga.getXMLAnswer(getGroup);

    function getGroup(response) {
        if (response == 'true' && g_form.getDisplayValue('chg_model') === 'Standard') {
            alert('You are not allowed to create Pre-approved Standard Change Request!');

            // Hide Save and Submit UI Actions (buttons) --> Reference: https://stackoverflow.com/questions/43452670/hide-save-button-on-asset-form

            var items = $$('BUTTON').each(function(item) {
                if (item.innerHTML.indexOf('Submit') > -1) {
                    item.hide();
                }
            });

            var items1 = $$('BUTTON').each(function(item) {
                if (item.innerHTML.indexOf('Save') > -1) {
                    item.hide();
                }
            });

            // Make all editable fields read-only
            var fields = g_form.getEditableFields();
            for (var x = 0; x < fields.length; x++) {
                g_form.setReadOnly(fields[x], true);
            }
        } 
    }
}

Hope that helps!

pradnyajamgaonk · 2 weeks ago

Hello @Vishal Jaswal

Thanks for the reply.

To be specific we have number of templates under 'Preapproved' tab as shown below, and we need to restrict each template based on specific groups. Templates should be visible and accessible based on access group criteria or at least with business rule a message can be shown that user cannot create a change with that particular template.

Can we update above script include to achieve this?

Regards,

Pradnya

Vishal Jaswal · 2 weeks ago

Hello @pradnyajamgaonk

You need to write a script include to return the groups of logged in User as well as allowed templates for that group.
Then you need to update the UI Page "landing" HTML to receive the result from Script Include and Update Client script accordingly.

Hope that helps!