Hide Records based on Ownership
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
var owner_group = this.isOwningGroup(current);
var userID = gs.getUserID();
var hLOD = 0;
var entityOwner = current.profile.owned_by + '';
if (!current.u_line_of_defense) {
return true;
} else {
var groupMem = new GlideRecord("sys_user_grmember");
groupMem.addQuery("user", userID);
groupMem.query();
while (groupMem.next()) {
var grcType = (groupMem.group.u_grc_type + '').toLocaleLowerCase();
var grcTypeArr = grcType.split(',');
if (grcType.includes('com')) {
hLOD = Math.max(hLOD, 1);
} else if (grcType.includes('audit')) {
if (grcTypeArr.indexOf("audit") != -1) {
hLOD = Math.max(hLOD, 3);
} else {
hLOD = Math.max(hLOD, 2);
}
} else if (
grcType.includes('compliance') )) {
hLOD = Math.max(hLOD, 2);
}
}
if ((hLOD === 3) && ((current.u_line_of_defense == "1lod") ||
(current.u_line_of_defense == "2lod") || (current.u_line_of_defense == "3lod"))) {
return true;
} else if ((hLOD === 2 || owner_group) &&
((current.u_line_of_defense == "1lod") || (current.u_line_of_defense == "2lod"))) {
return true;
} else if (hLOD === 1) {
if (entityOwner == userID) {
gs.info("Entity Ower: " + entityOwner);
return true;
}
return false;
} else {
return false;
}
}
}Hi Everyone,
I need some help with restricting Control record access for first line of defense users in ServiceNow GRC.
In the Control table we have an Entity reference field profile which points to the Entity table [sn_grc_profile] Each Entity has an owner field.
My requirement is that first line of defense users should only be able to see Control records where the Entity owner is the logged-in user. If the logged-in user is the owner of that entity, they should see those Control records. Otherwise they should not be able to see the other records.
Currently when I impersonate a first of line of defense user, they are able to see all control records, which should not happen.
I tried implementing this logic in a Script Include used in ACL, where I check if owner is logged in user is entity owner but it is still not restricting the records correctly.
Has anyone implemented a similar restriction based on entity ownership? Any suggestions on how this can be handled properly using ACL or another approach would be really helpful.
Sharing my current code below for reference:
var owner_group = this.isOwningGroup(current);
var userID = gs.getUserID();
var hLOD = 0;
var entityOwner = current.profile.owned_by + '';
if (!current.u_line_of_defense) {
return true;
} else {
var groupMem = new GlideRecord("sys_user_grmember");
groupMem.addQuery("user", userID);
groupMem.query();
while (groupMem.next()) {
var grcType = (groupMem.group.u_grc_type + '').toLocaleLowerCase();
var grcTypeArr = grcType.split(',');
if (grcType.includes('complain')) {
hLOD = Math.max(hLOD, 1);
} else if (grcType.includes('audit')) {
if (grcTypeArr.indexOf("audit") != -1) {
hLOD = Math.max(hLOD, 3);
} else {
hLOD = Math.max(hLOD, 2);
}
} else if (grcType.includes('grc') ||
grcType.includes('compliance') || grcType.includes('risk_management') ||
{
hLOD = Math.max(hLOD, 2);
}
}
if ((hLOD === 3) && ((current.u_line_of_defense == "1lod") ||
(current.u_line_of_defense == "2lod") || (current.u_line_of_defense == "3lod"))) {
return true;
} else if ((hLOD === 2 || owner_group) &&
((current.u_line_of_defense == "1lod") || (current.u_line_of_defense == "2lod"))) {
return true;
} else if (hLOD === 1) {
if (entityOwner == userID) {
gs.info("Entity Ower: " + entityOwner);
return true;
}
return false;
} else {
return false;
}
}
Thanks in advance for your help!
