Restrict specific RITM/Catalog item record viewing but let Admin and Requested for see RITM

Yep
Tera Expert

yesterday

I have a particular catalog item I want every user to be able to submit but after submission I only want admins and the individual that submitted the request to be able to see the RITM record (including its variables). I tried an ACL and Before Query business rule but I cant find a way to narrow it to just this catalog item and its RITM records where the requested_for = current user.

0 Helpfuls
  • 369 Views
8 REPLIES 8

Its_Azar
Kilo Sage

yesterday

Hi there @Yep 

 

The Query BR runs before ACL i suggest to use an ACL for this usecase with a record-level Read ACL on sc_req_item, scoped to the specific catalog item ( for this just get the sys id of that cat item).

In the ACL script, allow access only if the user is admin or requested_for, and only when current.cat_item matches the target catalog item sys_id.

Read ACL on sc_req_item

(function () {

  var TARGET_CAT_ITEM = 'abc123abc123abc123abc123abc123ab';

  if (gs.hasRole('admin')) {
    return true;
  }
  if (current.cat_item != TARGET_CAT_ITEM) {
    return true;
  }

  if (current.requested_for == gs.getUserID()) {
    return true;
  }

  return false;

})();

 

After this user can see the RITM but if variables are hidden, add this ACL on sc_item_option_mtom

 

(function () {

  if (gs.hasRole('admin')) {
    return true;
  }

  if (current.requested_item.requested_for == gs.getUserID()) {
    return true;
  }

  return false;

})();

 

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star
Developer @ KPMG.
0 Helpfuls

Yep
Tera Expert
In response to Its_Azar

yesterday

I think I'm missing something because this is not working for me so far. Any ideas? I removed admin override and the admin role for easier testing. I'll add those back if I can get this working.

 

Yep_0-1769462926356.png

 

0 Helpfuls

Yep
Tera Expert
In response to Yep

yesterday

I could be wrong about using "Data Condition" and "Applies To" instead of checking in the script

0 Helpfuls

Its_Azar
Kilo Sage
In response to Yep

yesterday

Hi @Yep 

 

Can you remove Data Condition and Applies To entirely and put all logic in the Advanced Script. ACL scripts already run per record and have access to current, so you can safely check cat_item and requested_for there.

 

Just put the sys id of that cat item, and handle it with script.

 

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star
Developer @ KPMG.
0 Helpfuls