ACL not working with condition builder

jamhoe · ‎05-02-2017

Hi All,

I am creating an ACL to restrict a user with a custom role to access and update Incident records.

I have tried to create a Read ACL rule with the following configurations:

However, if i tried to impersonate a user with a 'bu_itil' role, those 3 records does not display on the incident list.

I have also tried to script the condition but it is not evaluated when I checked it on the debug logs.

Maybe you guys can help me out on this . TIA.

jamhoe · ‎05-03-2017

Hi Amlan,

I used the code you have provided, however it did not provide me the right results.

But, I tried to tweak the code based on what you have provided and it does the trick.

Thanks for the help.

Regards,

JM

View solution in original post

amlanpal · ‎05-02-2017

Hi Joe,

Is the user having 'bu_itil' role able to see other incident records as well? Does the user also have 'itil' role? If not, then I think it is restricted via a OOB before query Business rule named 'incident query'. Please have a look at this link: https://your_instance.service-now.com/sys_script.do?sys_id=2bc2f9b1c0a801640199f9eb0067326e&sysparm_...

I hope this helps. Please mark correct/helpful based on impact

jamhoe · ‎05-03-2017

HI Amlan,

I think your right, it is the one restricting the data.

what can i do about this one? should i need to create another BR for my ACL?

amlanpal · ‎05-03-2017

Hi Joe,

in this case I would suggest you to modify the Business rule ('incident query') as of below and give it a try. The only think you need to add is in the If loop highlighted in bold in the given script.

if (!(gs.hasRole("itil") || gs.hasRole("bu_itil")) && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

I hope this helps. Please mark correct/helpful based on impact

jamhoe · ‎05-03-2017

Hi Amlan,

I have modified the said BR, however that still does not resolve the issue.

here is the code i made:

if ((!gs.hasRole("itil") || gs.hasRole("bu_itil")) && gs.isInteractive()) {

var u = gs.getUserID();

var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);

gs.print("query restricted to user: " + u);

}

I have also tried to disable this BR and it prompts a 'security constraint' warning on the incident list.

amlanpal · ‎05-03-2017

Hi Joe,

According to your modified Script the Users having 'bu_itil' role will able to see only those incidents which satisfy the conditions as Caller should be Logged in user OR the Incident was opened by the Logged in user OR the logged in user is selected in the Watchlist.

So please raise/validate an Incident which satisfy anyone of them and check. Or if you want to bypass all these conditions, please use the exact script which I have provided in my last response.

I hope this helps. Please mark correct/helpful based on impact