what is the minimum role to see incidents of the assigned group?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2025 04:40 AM
What role should I give the user so that they have minimum access, i.e. only to assigned requests and incidents for the group they belong to?
The snc_internal role allows you to view only assigned incidents and requests per user.
I need a solution that gives access only to things assigned to the user's group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-26-2025 11:26 PM
I did as you wrote, but now the user can't see anything at all.
Steps I did.
1. I created a test group 'Test Group'
2. I assigned the test user 'Abraham Lincoln' to it
3. I created a new role 'group_incident_access' and assigned it to the group 'Test Group' to which Abraham Lincoln belongs
4. I created an ACL on the incident read table and added a new role and the script you wrote.
5. In the incidents table I changed a few records to the assignment group 'Test Group'
6. I impersonated Abraham Lincoln and no incidents are visible.
what did i do wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-28-2025 02:47 AM
You’ve followed the correct steps, but there are a few things to check that might be causing the issue:
1. Verify the ACL Condition. The script in your ACL should be checking current.assignment_group.sys_id properly.
2. Check role inheritance. Since you assigned the group_incident_access role to the group and not directly to the user, ensure that the role inheritance is working. Try temporarily assigning the role directly to Abraham Lincoln and see if it makes a difference.
3. Ensure ACL Applies Correctly. Open the Incident table ACLs and confirm there’s no conflicting rule denying access. Use the Security Debug - Debug ACLs feature to check which ACLs are evaluated when Abraham Lincoln tries to view incidents.
If another ACL is blocking access, you may need to adjust it. Test with a Simpler ACL First Before using the script, try an ACL with just current.assignment_group == gs.getUser().getMyGroups() as a condition (without scripting). If that works, the issue might be in the script logic.
Try these steps and let me know it helped.