ACL to apply to only specific groups

Trideep · ‎07-01-2025

I have a scenerio
There are three assignment groups: Group A, Group B, and Group C.

Users in these groups all have the itil role.

RITMs (sc_req_item records) will be assigned to one of these three groups.

The requirement is that users should only see RITMs assigned to their own group:
->A user in Group A should only see RITMs assigned to Group A.
->A user in Group B should only see RITMs assigned to Group B.
->A user in Group C should only see RITMs assigned to Group C.

Users from one of these three groups should not see RITMs assigned to the other two groups.

This restriction should apply only to users in Group A, B, and C.

Other users (outside these three groups) should continue to see RITMs as allowed by the existing ACLs.

There are existing OOB read ACLs on the sc_req_item table that use role like snc_internal.

Question:

How can I enforce this group-based visibility rule on RITMs, where users in Group A, B, or C can only see RITMs assigned to their own group, without modifying or removing the existing ACLs, and without affecting users outside these groups?

AndersBGS · ‎07-01-2025

Hi @Trideep

have you looked into data filtration rule: https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security/concept/d...

this should fulfill the requirement.

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

Trideep · ‎07-07-2025

Hi @AndersBGS ,

I do not find the Data Filtration (com.glide.data_filtration) Plugin in the Application Manager. Is it a paid one or freeware?

However, in filter navigator under System Security module I found Security Data Filters. Is it something similar to data filtration. Can I leverage it to accomplish my requirement?

AndersBGS · ‎07-07-2025

Hi @Trideep ,

Yes, as I read in an see it, it is similar: https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security/concept/s...

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

Masthan Sharif · ‎07-01-2025

Hi @Trideep ,

If you dont want to modify existing ACLs, you can try Query Business Rules on RITM table like this

(function executeRule(current, previous /*null*/) {
  // Get user’s group list as array of sys_ids
  var groups = gs.getUser().getMyGroups().toString().split(',');
  
  // Define restricted groups
  var restricted = ['<A_sysid>', '<B_sysid>', '<C_sysid>']; // replace <A_sysid> etc. with actual sys_ids

  // Check if user is in any of the restricted groups
  var inRestricted = false;
  for (var i = 0; i < groups.length; i++) {
    for (var j = 0; j < restricted.length; j++) {
      if (groups[i] === restricted[j]) {
        inRestricted = true;
        break;
      }
    }
    if (inRestricted) break;
  }

  // Only apply filter if user is in Group A, B, or C
  if (inRestricted) {
    current.addQuery('assignment_group', 'IN', groups.join(','));
  }
})(current, previous);

or like this:

(function executeRule(current, previous /*null*/) {
  var user = gs.getUserID();
  var groups = gs.getUser().getMyGroups();
  var restricted = ['<A>', '<B>', '<C>'];

  // Only filter queries for A/B/C members
  if (groups.some(function(g) { return restricted.indexOf(g) > -1; })) {
    current.addQuery('assignment_group', 'IN', groups.join(','));
  }
})(current, previous);

Please test thoroughly, and post your questions if it didnt help, thank you!

Best Regards,

Sharif