User seeing all Requested Items

Go to solution
Brian Lancaster
Tera Sage

‎01-22-2015 05:21 AM

We had a user report that he can see all requested items from any user.   This happens when he click on a link he got for one of his RITM's and then he click on the green back button (see screenshot below) in service now.   How can we make it so that it only take him back to his list or RITM instead of seeing everybody else's RITM's?

servicenow requested items.png

Preview file
6 KB
0 Helpfuls
  • 1,607 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage

‎01-22-2015 06:47 AM

ACLs, while normally the perfect answer to security questions, always result in the 'Number of rows removed' issue when using a 'Read' operation for records.




In order to avoid this, you need to use a 'before query' business rule on the 'sc_req_item' table.   A script like this should do the trick...it's based off of the out-of-box 'incident query' business rule that does the same thing for incidents.



if (!gs.hasRole("itil") && gs.isInteractive()) {


  var u = gs.getUserID();


  var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


  gs.print("query restricted to user: " + u);


}



Check this SNGuru article out for more details...


http://www.servicenowguru.com/scripting/business-rules-scripting/controlling-record-access-before-qu...


View solution in original post

0 Helpfuls
13 REPLIES 13

Go to solution
Brian Lancaster
Tera Sage
In response to Mark Stanger

‎01-27-2015 07:17 AM

I did disable the business rule.   Everything looks fine when the manager goes to approve the request.   What happens is the manager his approved and the approval state changes from requested to approved but stage of the RITM does not go change and stays at awaiting approval.


0 Helpfuls

Go to solution
Mark Stanger
Giga Sage
In response to Brian Lancaster

‎01-27-2015 12:09 PM

I'm not sure on that then.   What's certain is that the business rule isn't related as long as the same error happens with or without the business rule in place.


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to Mark Stanger

‎01-27-2015 12:44 PM

Sorry for the confusion but as soon as I turned the business rule off I no longer had the issue.


0 Helpfuls

Go to solution
Brian Lancaster
Tera Sage
In response to Brian Lancaster

‎01-28-2015 11:58 AM

I put in a ServiceNow ticket and the added the underlined code in our test environment which seems to have resolved the issue with approvals.


if (!gs.hasRole("itil") && gs.isInteractive() && isApprovalMine(current)) {


  var u = gs.getUserID();


  var qc = current.addQuery("request.requested_for", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);


  gs.print("query restricted to user: " + u);


}