VTB - Assignee cannot access their task unless a member of board

J_ Greene · ‎08-20-2020

I've created a freeform VTB and assigned a task to a user; however, I don't want that user to be a member of the board (just a task assignee). The user gets the notification that they have been assigned a task, however, they cannot access that task.

As an example, when they go to 'My Work' they do not see the assigned task until they are made a VTB member.

Seems counter intuitive that VTBTaskSecurity would restrict access to a task for an Assignee unless they had permission to the Card (which requires board membership)

This doesn't appear to be expected behavior.

Thoughts on best approach?

J_ Greene · ‎08-24-2020

Close - this was my initial approach, however, it doesn't satisfy the requirement fully. While the task is available on the 'My Work' list, the details of the task(s) are not accessible.

The following resolve the issue:

ACL = vtb_task (read)

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task (write)

answer = VTBTaskSecurity.canWrite(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task.* (read)

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task.* (write)

answer = VTBTaskSecurity.canWrite(current.sys_id)||current.assigned_to == gs.getUserID();

View solution in original post

Willem · ‎08-20-2020

If you add them to the board, no customization is needed. If that is not an option customizing the ACL can be done by changing the script:

answer = VTBTaskSecurity.canRead(current.sys_id)

To:

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID();

That way you do not have to customize the complete ACL and impact is minimized.

Ashley Snyder1 · ‎08-20-2020

Agreed on the second point for the ACL assigned_to checking. I've been wary of customizing anything ServiceNow has made into Script Includes for permission checking as they can be convoluted and change with upgrades (think On Call or Knowledge Versioning) so if the change can be made outside of those, less headaches will be had in the future.

J_ Greene · ‎08-24-2020

Close - this was my initial approach, however, it doesn't satisfy the requirement fully. While the task is available on the 'My Work' list, the details of the task(s) are not accessible.

The following resolve the issue:

ACL = vtb_task (read)

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task (write)

answer = VTBTaskSecurity.canWrite(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task.* (read)

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID();

ACL = vtb_task.* (write)

answer = VTBTaskSecurity.canWrite(current.sys_id)||current.assigned_to == gs.getUserID();

Willem · ‎08-24-2020

There are also the same kind of ACL's on vtb_card:

vtb_card (read)

yourinstande.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=ce494653eb2311001c13abf11206fea2

vtb_card (write)

yourinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=b0594653eb2311001c13abf11206fea5

vtb_card.* (read)

yourinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=4f490293eb2311001c13abf11206fe74

vtb_card.* (write)

yourinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=dd694293eb2311001c13abf11206fe22

Can you see if updating those gets us there?

Gunashekar · ‎06-08-2023

Hi @Willem

If i want this to be applicable to a group of users how can i achieve it.

I tried below but it is not working.

answer = VTBTaskSecurity.canRead(current.sys_id)||current.assigned_to == gs.getUserID()||gs.getUser().isMemberOf(current.assignment_group.getDisplayValue());