How to make RITM variables editable only for users in a group mapped to the Catalog Item (manually)

LokeshwarRV
Tera Contributor

4 weeks ago

Hi Community,

I have a requirement related to controlling edit access to variables on the RITM (Requested Item) based on the Catalog Item and the logged‑in user’s group membership.

Requirement

  • I have multiple Catalog Items, and each Catalog Item is associated with a specific support group.
    • Example:
      • Catalog Item Test11 → Group Test1
      • Catalog Item Test22 → Group Test2
  • When an RITM is created:
    • Only users who belong to the group mapped to that Catalog Item should be able to edit variables on the Variables tab.
    • All other users should see the variables as read‑only.
  • This access control must be:
    • Checked per RITM
    • Based on the Catalog Item of the RITM
    • Not based on the RITM assignment_group

What I am looking for

  • A clean and supported approach to:
    • Check, on load of the RITM, whether the logged‑in user is part of the group mapped to that Catalog Item
    • Allow variable editing only for those users
    • Keep variables read‑only for everyone else
  • Guidance on:
    • Whether a Display Business Rule + g_scratchpad + Catalog Client Script is the correct approach
    • Best practices for using g_scratchpad to pass server‑side group membership checks to the client
    • Any caveats when using this approach on the RITM Variables editor
0 Helpfuls
  • 314 Views
2 REPLIES 2

Brad Bowman
Kilo Patron

3 weeks ago

Variables on an RITM record are editable out of the box, so first you need to look at what is making those read-only in your instance.  It should be a simple onLoad Client Script on the sc_req_item table with one line of code

g_form.setVariablesReadOnly(true);

The easiest thing to do then for these circumstances where you want the variables to be editable is to wrap this line in some if conditions with a GlideAjax call to a Script Include to evaluate the group membership.

0 Helpfuls

VaishnaviK3009
Tera Guru

3 weeks ago

Hi @LokeshwarRV !!

 

Catalog Policies and ACLs cannot control edit access to variables on the RITM Variables editor, so the supported approach is to combine server-side evaluation with client-side enforcement.

The recommended design is:

Display Business Rule (server-side) → g_scratchpad → Catalog Client Script (onLoad)

 

1. Store Catalog Item → Group Mapping

Add a reference field on the Catalog Item, for example:

u_variable_edit_group (Reference → sys_user_group)
This keeps the logic catalog-item driven and avoids using assignment_group.

 

2. Display Business Rule (sc_req_item)

When: Display
Advanced: true

(function executeRule(current, g_scratchpad) {

    g_scratchpad.canEditVariables = false;

    if (!current.cat_item)
        return;

    var catItemGR = new GlideRecord('sc_cat_item');
    if (!catItemGR.get(current.cat_item))
        return;

    if (!catItemGR.u_variable_edit_group)
        return;

    if (gs.getUser().isMemberOf(catItemGR.u_variable_edit_group))
        g_scratchpad.canEditVariables = true;

})();

This ensures:

  • Group membership is checked securely on the server

  • The check is done per RITM

  • Logic is based on the Catalog Item

3. Catalog Client Script (onLoad – RITM)

function onLoad() {

    if (g_scratchpad.canEditVariables === true)
        return;

    var vars = g_form.getVariables();
    for (var i = 0; i < vars.length; i++) {
        g_form.setReadOnly(vars[i], true);
    }
}

This makes all variables read-only for unauthorized users.

 

Mark this as Helpful if it clarifies the issue.
Accept the solution if this answers your question.

Regards,
Vaishnavi
Associate Technical Consultant

0 Helpfuls