User seeing all Requested Items

Go to solution
Brian Lancaster
Tera Sage

‎01-22-2015 05:21 AM

We had a user report that he can see all requested items from any user.   This happens when he click on a link he got for one of his RITM's and then he click on the green back button (see screenshot below) in service now.   How can we make it so that it only take him back to his list or RITM instead of seeing everybody else's RITM's?

servicenow requested items.png

Preview file
6 KB
0 Helpfuls
  • 1,605 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage

‎01-22-2015 06:47 AM

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.




In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table.   A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.



if (!gs.hasRole("itil") && gs.isInteractive()) {


  var u = gs.getUserID();


  var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


  gs.print("query restricted to user: " + u);


}



Check this SNGuru article out for more details...


http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-qu...


View solution in original post

0 Helpfuls
13 REPLIES 13

Go to solution
Anurag Tripathi
Mega Patron
Mega Patron
In response to Anurag Tripathi

‎01-22-2015 06:26 AM

Add a read ACL (or just use the one you just deactivated ) and in the script part add this



current.created_by == gs.getUserID()



//This will give read access to all the ritm that the user has created himself


-Anurag
0 Helpfuls

Go to solution
Mark Stanger
Giga Sage

‎01-22-2015 06:47 AM

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.




In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table.   A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.



if (!gs.hasRole("itil") && gs.isInteractive()) {


  var u = gs.getUserID();


  var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


  gs.print("query restricted to user: " + u);


}



Check this SNGuru article out for more details...


http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-qu...


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to Mark Stanger

‎01-22-2015 07:43 AM

Thanks Mark that worked perfectly.


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to Mark Stanger

‎01-27-2015 06:47 AM

Hello Mark,


We are running into an issue since I added this where approves approve the request but it never goes any further.   Any thoughts on what might be causing this?


0 Helpfuls

Go to solution
Mark Stanger
Giga Sage
In response to Brian Lancaster

‎01-27-2015 06:51 AM

You could disable the new business rule to check, but I don't think there would be any relation there.   All you've added is read security.   I can see where maybe the approver couldn't view the record they were attempting to approve, but updating or pushing the workflow shouldn't be impacted.   Can the users approving see the request item they're approving?


0 Helpfuls