User's access control with Before Query Business Rule

SN4User · ‎03-22-2023

Hi, I would like to add a 'Before Query Business Rule' to control user's access to Demands by their Business Units. So each users belongs to a specific Business Unit. I have add a reference field for Business Unit in the form of a user.

So let us imagine following:

User John belongs to Business Unit A
User Cathy belongs to Business Unit B
If John opens a Demand which belongs to Business Unit B, he is not allowed to see any data inside this Demand
If Cathy opens the same Demand which belongs to Business Unit B, she is allowed to see the data inside this Demand

How could I write the script for the Business Rule? I'm not a coder, I'm a Project Manager but learning ServiceNow, here is what I have coded, but is not working, do you see my mistake?

(function executeBeforeQuery(current, previous, query, request) {

  // Get the current user
  var currentUser = gs.getUser();

  // Get the user's business unit
  var userBusinessUnit = currentUser.getRefRecord("business_unit");

  // Add a condition to the query to only include demands from the user's business unit
  query.addCondition("business_unit", "=", userBusinessUnit);

})(current, previous, query, request);

umaaggarwal · ‎03-22-2023

Hi there,

Please use below two lines of code and should work. I just added BU field and it is working for me. you need to replace the field name with your field name in the instance

var bu = gs.getUser().getRecord().getValue('u_bu');

// here u_bu is the field name on user record. Please use the one you have on your user record in backend table
current.addQuery('u_bu',bu);

//here in this line 'u_bu' field is on the demand table. Please use the backend name of the field which you are using

Please feel free to reach out in case you are stuck .

View solution in original post

umaaggarwal · ‎03-22-2023

Hi there,

Please use below two lines of code and should work. I just added BU field and it is working for me. you need to replace the field name with your field name in the instance

var bu = gs.getUser().getRecord().getValue('u_bu');

// here u_bu is the field name on user record. Please use the one you have on your user record in backend table
current.addQuery('u_bu',bu);

//here in this line 'u_bu' field is on the demand table. Please use the backend name of the field which you are using

Please feel free to reach out in case you are stuck .

SN4User · ‎03-22-2023

Hi umaaggarwal, thanks for you fast reply. Just two lines? Interesting, I would be interested to know how Devs approach such a problem.

I'm working on the PDI, so the standard field name of 'Business Unit' is 'business_unit' I would assume. So I would replace like following:

var bu = gs.getUser().getRecord().getValue('business_unit');

current.addQuery('business_unit',bu);

May I kindly ask you how to interpret the two lines? As I understand

var bu = gs.getUser().getRecord().getValue('business_unit');

1. var bu = set variable bu

2. gs.getUser() = global object of the User who is currently logged-in

3. getRecord() = global object of the current record, in this case table 'dmn_demand'

4. getValue('business_unit') = read field 'Business Unit'

current.addQuery('business_unit',bu);

1. current = current

2. addQuery('business_unit') = addQuery of 'Business Unit'

3. ,bu = This I don't understand

Is my interpretation correct? I don't understand where in the two lines the access control is? And point 3. of second line (,bu) I don't understand.

umaaggarwal · ‎03-23-2023

Hi SN4User,

You can always right click on the field label and see the backend name. It should be business unit but as I do not have demand module yet in my PDI, I cannot be sure on the name.

Regarding interpretation of these lines :

gs.getUser().getRecord() - this is fetching the logged in user's record from user table and then I have appended what value from this record i need. I this case I need business unit so have appended with getValue('u_bu')

you can append getValue('any_field_name') here to get teh value of perticular field for the fetched user record. So nothing to do with demand table. Till here I have just fetched logged in user's BU and stored it in my variable bu.

Nex line : current.addQuery('u_bu',bu);

current.addQuery is the syntax to restrict query. There is nothing called access control explicitly in query business rules, what you write in this query will be your restriction.

So in the query, I have mentioned u_bu = bu

bu is logged in user's business unit from first line, so I am setting that all the demands where business unit i.e. u_bu is logged in user's business unit i.e. bu .

so logged in user will see only demands related to his business unit.

Hope it helps.

If you have any further queries , please feel free follow / connect on linkedin

https://www.linkedin.com/in/uma-aggarwal-94521511a/

Also please mark this correct /helpful if it really was

Regards!

Uma

SN4User · ‎03-23-2023

Hi Umma,

thanks for your reply, it's really helpful for me. I have found out the backend name by using SN Utils, is an applicable tool.

Your detailed explanations help me to understand your two lines of code. I have implement it and it's restricting now, but the behavior is different. For example, I'm logged-in with System Administrator (admin), the admin is not part of any Business Unit, so I would expect the admin would not see any demand in the demand list. But he sees two demands in the list. So I have checked again the admin part of any Business Unit, no isn't part of any Business Unit. And the two demands he can see in the demand list, they are not part of any Business Unit.

What I have forgotten to analyze to find out, why admin can see two demands in the demand list? I assume, that something is overwriting my Business Rules, right? Thanks for you support.