Restrict specific RITM/Catalog item record viewing but let Admin and Requested for see RITM

Yep · 3 weeks ago

I have a particular catalog item I want every user to be able to submit but after submission I only want admins and the individual that submitted the request to be able to see the RITM record (including its variables). I tried an ACL and Before Query business rule but I cant find a way to narrow it to just this catalog item and its RITM records where the requested_for = current user.

Brad Bowman · 3 weeks ago

ACLs have an "Admin overrides" box, so you don't need to include this in a script. Your ACL should look like this:

No Roles, Security Attribute Condition, or Data Condition. Your script in the Advanced Condition can be as simple as this:

if (current.cat_item.name == 'My Catalog Item') {
	if (gs.getUserID() == current.opened_by) {
		answer = true;
	} else {
		answer = false;
	}
} else {
	answer = true;
}

An issue you may run into in your instance if this isn't working is that there are other Read ACLs on sc_req_item, -- None -- that are conflicting, so you'll have to inactivate or update those to incorporate this logic.

View solution in original post

Yep · a week ago

I ended up going with a query range business rule to filter out my catalog item from sc_req_item queries whenever the user doesn't have certain roles (ex: admin).

I needed this done quickly and I didn't want to have to redo and then test all the ACL's at for sc_req_item right now. In the future I plan on going with @Brad Bowman 's solution to modify all ACL's to allow for the logic I need (just to clean things up).

Appreciate the help @Its_Azar and @Brad Bowman !

View solution in original post

Its_Azar · 3 weeks ago

Hi there @Yep

The Query BR runs before ACL i suggest to use an ACL for this usecase with a record-level Read ACL on sc_req_item, scoped to the specific catalog item ( for this just get the sys id of that cat item).

In the ACL script, allow access only if the user is admin or requested_for, and only when current.cat_item matches the target catalog item sys_id.

Read ACL on sc_req_item

(function () {

  var TARGET_CAT_ITEM = 'abc123abc123abc123abc123abc123ab';

  if (gs.hasRole('admin')) {
    return true;
  }
  if (current.cat_item != TARGET_CAT_ITEM) {
    return true;
  }

  if (current.requested_for == gs.getUserID()) {
    return true;
  }

  return false;

})();

After this user can see the RITM but if variables are hidden, add this ACL on sc_item_option_mtom

(function () {

  if (gs.hasRole('admin')) {
    return true;
  }

  if (current.requested_item.requested_for == gs.getUserID()) {
    return true;
  }

  return false;

})();

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star ⭐
Developer @ KPMG.

Yep · 3 weeks ago

I think I'm missing something because this is not working for me so far. Any ideas? I removed admin override and the admin role for easier testing. I'll add those back if I can get this working.

Yep · 3 weeks ago

I could be wrong about using "Data Condition" and "Applies To" instead of checking in the script

Its_Azar · 3 weeks ago

Hi @Yep

Can you remove Data Condition and Applies To entirely and put all logic in the Advanced Script. ACL scripts already run per record and have access to current, so you can safely check cat_item and requested_for there.

Just put the sys id of that cat item, and handle it with script.

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star ⭐
Developer @ KPMG.