Restrict specific RITM/Catalog item record viewing but let Admin and Requested for see RITM

Yep
Tera Expert

yesterday

I have a particular catalog item I want every user to be able to submit but after submission I only want admins and the individual that submitted the request to be able to see the RITM record (including its variables). I tried an ACL and Before Query business rule but I cant find a way to narrow it to just this catalog item and its RITM records where the requested_for = current user.

0 Helpfuls
  • 370 Views
8 REPLIES 8

Yep
Tera Expert
In response to Its_Azar

yesterday

I tried that and its logging "oof inside 2" in the system logs. But not working so far

 

if (current.cat_item == "9d2d96f993eefed484cd7c6badba1088") {
    if (current.requested_for == gs.getUserID()) {
        gs.info("oof inside 1");
        answer = true;

    } else {
        gs.info("oof inside 2");
        answer = false;

    }
}
else{
    answer = true;
}
0 Helpfuls

Brad Bowman
Kilo Patron

yesterday

ACLs have an "Admin overrides" box, so you don't need to include this in a script.  Your ACL should look like this:

BradBowman_0-1769463471220.png

No Roles, Security Attribute Condition, or Data Condition.  Your script in the Advanced Condition can be as simple as this:

if (current.cat_item.name == 'My Catalog Item') {
	if (gs.getUserID() == current.opened_by) {
		answer = true;
	} else {
		answer = false;
	}
} else {
	answer = true;
}

An issue you may run into in your instance if this isn't working is that there are other Read ACLs on sc_req_item, -- None -- that are conflicting, so you'll have to inactivate or update those to incorporate this logic.

 

0 Helpfuls

Yep
Tera Expert
In response to Brad Bowman

yesterday

Say I have several others - each one would require I add this logic into it?

 

Sorry - I cant tell if that's standard or not for ServiceNow ACL's. Wouldn't everyone just have one large ACL per table with lots of nested logic in it?

0 Helpfuls

Brad Bowman
Kilo Patron
In response to Yep

yesterday

Yes, you would need to add it on each one, or try to make one with all of the logic.  A better approach in this case is to change this new one to the Decision type = Deny Unless, and change the script to the negative like this:

if (current.cat_item.name != 'My Catalog Item') {
	answer = true;
} else if (gs.getUserID() != current.opened_by) {
		answer = false;
} else {
	answer = true;
}

https://www.servicenow.com/docs/r/platform-security/access-control/exploring-access-control-list.htm... 

0 Helpfuls