Can we limit access/view of incident to group members only?

Gerry Crumbley · ‎06-29-2017

How can I limit access and viewing of incidents to only those assignment groups in which the ITIL user is a member of?

We want to stop people in Data Management group from seeing/altering incidents in the Wireless group, etc.

If I am in Assignment Groups: VIP Support; Technical Services; and User Support, then I should only be able to see or have access to incidents in those groups. I should not be able to see incidents in Wireless or Data Management.

Is this possible?

prashantatsastr · ‎07-02-2017

Please let me know if you need more details.

Gerry Crumbley · ‎07-03-2017

Does this mean I will have to do this for EVERY group? Can't I just create one rule that applies to ALL groups so they can only see their own groups incidents?

Isn't that what "is (dynamic)" and "one of my groups" is supposed to do?

Are the TYPE; OPERATION; and NAME fields correct in the snip above?

Chuck Tomasi · ‎07-03-2017

My experience has been that when you try to restrict a group to only see their own records, you cut off the ability for people to help out and collaborate on other issues. My recommendation is allow your "itil" (or other roles) to work together and use filters to provide them with lists of their own work, but don't put permissions in place for allowing them to reassign, find, or comment on records belonging to other groups.

As an example, My Groups Work.

Gerry Crumbley · ‎08-06-2017

First - we have several Users in each group. We just don't need people in "Wireless" to have the ability to change "Data Management" incidents. They don't even need to see them.

It would be nice if everyone worked from "My Groups Work", but inevitably they will click "all" for a search. I would like to limit their access to their groups only.

Goran WitchDoc · ‎08-06-2017

Is dynamically "my groups" means that is checks if the record belongs to a group that you are a member of, just like you wanted it. This means that if you don't belong to the group that is chosen under the "assignment group" you will be denied the access (read/write etc. what you have chosen).

Besides that. I totally agree with ctomasi, I wouldn't recommend to implement this. It does limit the way you people can use the system and collaborate.

For example. Remember that just adding this, will lock ServiceDesk out from looking at the ticket as well, if they aint a member of the group...

And if the reason is that they would click on "all", I would say that this is more a "how do we work in ServiceNow" education thing or even "how do we work with our processes/procedures". And for that I would say don't try to fick process problems with the tool. Many think that just by changing the tool, all the process/management problem will go away, but they don't. And I'm just writing in general here, since I don't know about your specific company.