Hey Team!

I've got an instance where we have ACLs that restrict access to the Request Record under certain circumstances (when a request was created from a particular order guide type).

The ACL restrictions explicitly exclude impersonation, and it means that the Out of Box Business Rule that runs when the child sc_req_item is closed is unable to close the related sc_request record.

I've tried refactoring the OOB business rule to abstract the behaviour into a Script Include with the hope that the script include might be able to be executed as a user other than the one that triggered the business rule, but I've run into a brick wall - it seems that both the business rule and script includes are unable to write to the Request record because the current user can't see it.

My Business rule looks like this:

// Initialise the SE Request Closer Script include and pass it the current request ID
gs.log("(7EL) Close Parent Restricted Business rule Triggered against Req Item: "+current.number);
var RequestCloser = new SERequestCloser();   
var currentReq = current.request.sys_id;
RequestCloser.closeParentIfRequired(currentReq);

And my script include does this:

var SERequestCloser = Class.create();

SERequestCloser.prototype = Object.extendsObject(AbstractAjaxProcessor, {
closeParentIfRequired: function(currentReq) {
gs.log("(7EL) Started Request Closer");
   // check to see if any of our peers are currently *not* closed
   var gr = new GlideRecord('sc_req_item');
   gr.addQuery('request', currentReq);
   gr.addQuery('stage', '!=', 'complete');
   gr.addQuery('stage', '!=', 'Request Cancelled');
   gr.query();
gs.log("(7EL) Request Closer has found Request Item record: "+gr.number);
   if (!gr.next()) {
         // no peer task is currently open
         var sc_request = new GlideRecord('sc_request');
         sc_request.addQuery('sys_id', currentReq);
         sc_request.query();
         sc_request.next();
         gs.print("SC_REQUEST.STAGE = " + sc_request.stage + " INDEX = " + sc_request.stage.toString().indexOf('closed'));
       gs.log("(7EL) Request Closer found request record: "+ sc_request.number);
         if (sc_request.stage.toString().indexOf('closed') == -1) {
                 sc_request.stage = "closed_complete";
                 sc_request.comments.setJournalEntry("Request Automatically Closed as all Line Items were complete");
                 sc_request.update();
}
   }
},
       type: 'SERequestCloser'
});

Because the Request Record is not visible to the user executing the BR, neither the GR query nor the sc_request query are able to get the relevant records, and therefore the update at line 23 just creates a new record altogether.   If this is run as a user who has ACL access to the Request record, then this is successful, but it doesn't work otherwise, and I can't grant users access in this case (just yet).  

What would be handy is if I could just call the method closeParentIfRequired as a system user.... any thoughts?   As mentioned before the ACL explicitly excludes impersonation access to the Request table.