Restrict @mention to users with read access to record

Michael T
Tera Contributor

ā€Ž11-03-2023 11:16 AM - edited ā€Ž11-03-2023 11:44 AM

My client would like to limit who can be @mentioned on a ticket platform wide to only people with read access to the ticket. I created a Before Query business rule on the User table based on another community post - this business rule does work to limit @mention to users with the hr admin role, however I want to see if we can limit to users with read access to the record instead. Advice on how to modify business rule or a different approach would be appreciated! Thanks

 

(function executeRule(current, previous /*null when async*/ ) {
    try {
        if (gs.action.getGlideURI() != '') {
            if (gs.action.getGlideURI().getMap() != '') {
                if (gs.action.getGlideURI().toString().startsWith('api/now/form/mention/record/')) {
                    current.addEncodedQuery('roles=sn_hr_core.admin');
                    current.addActiveQuery();
					gs.addInfoMessage(current); // Returns "sys_user"
                }
            }
        }
    } catch (errObj) {
        gs.error('Global_Set_Filter_Mention-' + errObj);
    }
})(current, previous);

If we have a method to prevent any @mention from additional comments that would be +1 as the client is wondering this as well

0 Helpfuls
  • 972 Views
10 REPLIES 10

jMarshal
Mega Sage
Mega Sage
In response to Michael T

ā€Ž11-06-2023 07:52 AM

ah, shoot...hmmm...

I've never had to consider the case that .canread only measures against the user who is currently logged in, not a method to try against another user for qualification purposes...it's always been quite handy, but I can see the limitation now.

 

I don't think there is a way to "reverse the impersonation", so-to-speak...but I like the way you're thinking, it would be a way to crack this nut if you could, considering this additional information, regarding the canread method.

----

Considering this, I'd go back to the drawing board -- don't use this approach. I think it will get more messy than it's worth, honestly.

However, I noticed in your last post, that the @ mention feature already says "cannot view record"...assuming that to be accurate, ServiceNow is doing the heavy lifting already.

...I suspect you'd like this customization to prevent the fulfiller from selecting that record despite this warning...which I totally get, if training/coaching/procedure doesn't fix the issue ("don't tag those who can't view the record, please"), then you have to put up some guardrails or continue to experience the fallout (frustrating business users, who are being tagged on records they can't view - booourns)...

...further, I suspect the solution may be easier to stop the notification/mention in post (if someone tags the user who can't view, said user just wouldn't be notified, but the fulfiller/agent may still tag them)...

...before I give any (potentially irrelevant) advice, do I understand the issue you're having? 

0 Helpfuls

Michael T
Tera Contributor
In response to jMarshal

ā€Ž11-06-2023 07:57 AM

You've got it precisely. Especially with HR there are lots of special conditions that might make some records visible to others and not some beyond a simple role and the client is hoping we can make a platform wide change to prevent this confusion

0 Helpfuls

jMarshal
Mega Sage
Mega Sage
In response to Michael T

ā€Ž11-06-2023 11:00 AM

Makes sense -- would stopping the alert be just as good as preventing the tag...or is prevention of the act of tagging by the fulfiller, the specific requirement?

0 Helpfuls

Michael T
Tera Contributor
In response to jMarshal

ā€Ž11-08-2023 08:06 AM

They would like for those users who cannot see the record to not be able to be tagged - Using our business rule we can remove options from the list when you use the @ character by role or other user criteria like this line 

                    current.addEncodedQuery('roles=sn_hr_core.admin');

I opened a ticket with ServiceNow to see if I can get a recommendation from them based on what I'm trying to do here with the impersonation if that is possible. You did help confirm my suspicion that this is not a simple task as our team was not experienced in a similar requirement

jMarshal
Mega Sage
Mega Sage
In response to Michael T

ā€Ž11-08-2023 10:18 AM - edited ā€Ž11-08-2023 10:21 AM

Awesome! I think this may be some worth-while feature development for them...a property or switch to either "indicate if user cant read" or "not allow" tagging, when appropriate - whereas, currently it's just "indicate" only.

You can make suggestions for new feature development in the Now Support  portal, through the "Idea Portal" - check it out: Ideas - Idea portal (servicenow.com)

If you do submit this as an "Idea", or get an answer from Now Support, please let me know (via this thread) so I can follow (in the idea portal), as this seems like a really good customization/idea IMO

Also -- if you wouldn't mind marking one of (any of) my posts in this thread as "helpful", that would be very appreciated! šŸ˜

0 Helpfuls