Restricting access to records that are visible to all group members

DavidPhilpott_8
Tera Expert

3 hours ago - last edited 3 hours ago

Good afternoon all,

I have a request from our Facilities team leader for two members to be added to their group to manage a certain type of request. The staff members are from other departments in the organisation.

 

Requirements:

  • Both members need to only have access to specific records on the facilities_request table where active = yes, category = 'Booking' and subcategory = 'Vehicle/Parking'.
  • They should still be members of the group that contains the roles required to access all records in the facilities_request table.
  • The two members should still be able to view any record in that table where they are the caller, requester, affected contact or in the watchlist.

As part of this request I created a new role (facilities_vehicle_booking_staff) and assigned it to the two staff members.

 

Approaches I have tried:
1. A Security Data Filter with a compound security attribute. It partially worked but blocked any requests logged for either user as requester/caller/affected contact as well as myself with the admin role (!). I was able to replicate the behaviour on a PDI.

DavidPhilpott_8_0-1771466844837.pngDavidPhilpott_8_1-1771466902467.png

 

2. Two Deny-unless ACLs on the facilities_request table. Initially it seemed to work but also blocked access to all records on the table for members of the group who didn't have the new role as well as on records where the two staff members are requesters.

DavidPhilpott_8_2-1771467093705.png

 

3. Two Allow-if ACLs on the facilities_request table. It had no effect on either user, presumably because both already have the role assignment that grants access to all records in the table.

DavidPhilpott_8_0-1771467217253.png

 

4. A before query business rule (which strictly speaking isn't meant to be a security measure).

 

I have reviewed the official SN docs articles on ACLs and security data filters, multiple forum posts on restricting access to records along with the following series on security: https://www.servicenow.com/community/servicenow-ai-platform-articles/need-to-know-principle-implemen...

Any thoughts on how I can achieve those requirements using the available security features in the platform?

 

Of note:
Instances are on the Yokohama patch 12 release.
The facilities_request table is descended from the Task and Service Order (sm_order) tables.

 

Thank you

David

 

0 Helpfuls
  • 97 Views
1 REPLY 1

Sneha KH
Giga Guru

27m ago

Create a single read ACL on facilities_request and remove deny-unless and security filters.
Use this script:
if (!gs.hasRole('facilities_vehicle_booking_staff')) {
answer = true;
}
else {
if (current.active == true &&
current.category == 'Booking' &&
current.subcategory == 'Vehicle/Parking') {
answer = true;
}
else if (current.caller == gs.getUserID() ||
current.requested_for == gs.getUserID() ||
current.u_affected_contact == gs.getUserID() ||
current.watch_list.toString().indexOf(gs.getUserID()) > -1) {
answer = true;
}

else {
answer = false;
}
}
Try this if it works!

0 Helpfuls