User seeing all Requested Items

Go to solution
Brian Lancaster
Tera Sage

‎01-22-2015 05:21 AM

We had a user report that he can see all requested items from any user.   This happens when he click on a link he got for one of his RITM's and then he click on the green back button (see screenshot below) in service now.   How can we make it so that it only take him back to his list or RITM instead of seeing everybody else's RITM's?

servicenow requested items.png

Preview file
6 KB
0 Helpfuls
  • 1,604 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage

‎01-22-2015 06:47 AM

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.




In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table.   A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.



if (!gs.hasRole("itil") && gs.isInteractive()) {


  var u = gs.getUserID();


  var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


  gs.print("query restricted to user: " + u);


}



Check this SNGuru article out for more details...


http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-qu...


View solution in original post

0 Helpfuls
13 REPLIES 13

Go to solution
sudharsanv36
Kilo Guru

‎01-22-2015 05:27 AM

It can be controlled based on the Roles and ACL's.


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to sudharsanv36

‎01-22-2015 05:34 AM

This is a regular end user so they have no roles.   What would I look for in the ACL's?


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to Brian Lancaster

‎01-22-2015 06:14 AM

ok so I found a ACL on the sc_req_item that give everybody read access.   I'm not sure why we added that.   I removed this ACL in dev and ran thought a test.   No when the user hits the back button it gives them a screen where it just says "Number of rows removed from this list by Security constraints: 500" instead of letting them see their requested items.   Do I need to make a read role that has a script in it to pull just their RITM's?


0 Helpfuls

Go to solution
Anurag Tripathi
Mega Patron
Mega Patron
In response to Brian Lancaster

‎01-22-2015 06:21 AM

Hi Brian,



How do you want it to be. When a user hits the back button he should be able to see RITM's created by him/assigned to him/Assigned to his group etc??


-Anurag
0 Helpfuls