Allow users to create templates

Sahar_Kaizer
Tera Contributor

‎03-27-2024 08:46 AM

Hi,

How can I allow users with mac_fulfilment role to create and edit templates only if they created them, while users with mac_analyst can create and edit all template records?

 

Thanks,

Sahar

0 Helpfuls
  • 636 Views
1 REPLY 1

Deepak Shaerma
Kilo Sage

‎03-27-2024 11:27 AM

Hi @Sahar_Kaizer 

 

To achieve such granular control over the creation and editing permissions for templates in ServiceNow, you can utilize Access Control Rules (ACLs) and potentially business rules or client scripts to ensure that users with the mac_fulfilment role can only edit templates they created, while users with the mac_analyst role can create and edit all template records. Here’s how you can approach this situation step by step:

 

### 1. Creation Permissions for Both Roles:

 

For both roles to be able to create template records, you will need to ensure that the creation ACL for the template table (let’s call it x_yournamespace_template) grants create access to both mac_fulfilment and mac_analyst roles.

 

1. Navigate to System Security > Access Control (ACL).

2. Create a new ACL rule for the operation create on the x_yournamespace_template table.

3. Set the condition that users must have either the mac_fulfilment or mac_analyst role.

 

### 2. General Edit Permissions for mac_analyst:

 

To allow mac_analyst role holders to edit all templates:

 

1. Create/Edit an ACL rule for the operation write on the x_yournamespace_template table.

2. Set the condition or script that users must have the mac_analyst role.

 

### 3. Conditional Edit Permissions for mac_fulfilment:

 

To ensure that users with the mac_fulfilment role can only edit records they created, you will need a more conditional ACL.

 

1. Create/Edit an ACL rule for the write operation on the same table.

2. In the Script field of the ACL, you must write a script that checks if the current user is the creator of the record. An example script could be:

 

(function() {

   // Allows ‘mac_analyst’ role unconditional edit rights

   if (gs.hasRole(‘mac_analyst’)) {

       return true;

   }

   

   // Allows ‘mac_fulfilment’ users to edit only if they are the creator

   if (gs.hasRole(‘mac_fulfilment’)) {

       return current.sys_created_by == gs.getUserID();

   }

   

   return false;

})();

 

 

This script checks if the user has the mac_analyst role; if so, they can edit all records. If the user has the mac_fulfilment role, it further checks if the sys_created_by field of the current record matches the user’s ID. Note that sys_created_by holds the sys_id of the user who created the record, which is why gs.getUserID() is used for comparison.

 

PLEASE MARK THIS AS HELPFUL AND ACCEPTED SOLUTION IF THIS HELPS YOU. THIS WILL HELP BOTH ME AND THE COMMUNITY 

THANKS AND REGARDS 

DEEPAK SHARMA