Restrict specific RITM/Catalog item record viewing but let Admin and Requested for see RITM

Yep · 3 weeks ago

I have a particular catalog item I want every user to be able to submit but after submission I only want admins and the individual that submitted the request to be able to see the RITM record (including its variables). I tried an ACL and Before Query business rule but I cant find a way to narrow it to just this catalog item and its RITM records where the requested_for = current user.

Brad Bowman · 3 weeks ago

ACLs have an "Admin overrides" box, so you don't need to include this in a script. Your ACL should look like this:

No Roles, Security Attribute Condition, or Data Condition. Your script in the Advanced Condition can be as simple as this:

if (current.cat_item.name == 'My Catalog Item') {
	if (gs.getUserID() == current.opened_by) {
		answer = true;
	} else {
		answer = false;
	}
} else {
	answer = true;
}

An issue you may run into in your instance if this isn't working is that there are other Read ACLs on sc_req_item, -- None -- that are conflicting, so you'll have to inactivate or update those to incorporate this logic.

View solution in original post

Yep · a week ago

I ended up going with a query range business rule to filter out my catalog item from sc_req_item queries whenever the user doesn't have certain roles (ex: admin).

I needed this done quickly and I didn't want to have to redo and then test all the ACL's at for sc_req_item right now. In the future I plan on going with @Brad Bowman 's solution to modify all ACL's to allow for the logic I need (just to clean things up).

Appreciate the help @Its_Azar and @Brad Bowman !

View solution in original post

Yep · 3 weeks ago

I tried that and its logging "oof inside 2" in the system logs. But not working so far

if (current.cat_item == "9d2d96f993eefed484cd7c6badba1088") {

if (current.requested_for == gs.getUserID()) {

gs.info("oof inside 1");

answer = true;

} else {

gs.info("oof inside 2");

answer = false;

}

else{

answer = true;

}

Brad Bowman · 3 weeks ago

ACLs have an "Admin overrides" box, so you don't need to include this in a script. Your ACL should look like this:

No Roles, Security Attribute Condition, or Data Condition. Your script in the Advanced Condition can be as simple as this:

if (current.cat_item.name == 'My Catalog Item') {
	if (gs.getUserID() == current.opened_by) {
		answer = true;
	} else {
		answer = false;
	}
} else {
	answer = true;
}

An issue you may run into in your instance if this isn't working is that there are other Read ACLs on sc_req_item, -- None -- that are conflicting, so you'll have to inactivate or update those to incorporate this logic.

Yep · 3 weeks ago

Say I have several others - each one would require I add this logic into it?

Sorry - I cant tell if that's standard or not for ServiceNow ACL's. Wouldn't everyone just have one large ACL per table with lots of nested logic in it?

Brad Bowman · 3 weeks ago

Yes, you would need to add it on each one, or try to make one with all of the logic. A better approach in this case is to change this new one to the Decision type = Deny Unless, and change the script to the negative like this:

if (current.cat_item.name != 'My Catalog Item') {
	answer = true;
} else if (gs.getUserID() != current.opened_by) {
		answer = false;
} else {
	answer = true;
}

https://www.servicenow.com/docs/r/platform-security/access-control/exploring-access-control-list.htm...

Yep · a week ago

I ended up going with a query range business rule to filter out my catalog item from sc_req_item queries whenever the user doesn't have certain roles (ex: admin).

I needed this done quickly and I didn't want to have to redo and then test all the ACL's at for sc_req_item right now. In the future I plan on going with @Brad Bowman 's solution to modify all ACL's to allow for the logic I need (just to clean things up).

Appreciate the help @Its_Azar and @Brad Bowman !