Scenario – I have ACL for Assignment Group members of incidents – People who are member of Assignmen

gmpriyasha
Tera Contributor

3 weeks ago

I am facing difficulty to solve this and when i login with membership user that return the all group incident insted of self group incidents .

 

I created 2 user and assign group Network , and provide role itil but it return all incident of all group

 

 

gmpriyasha_0-1776434917148.png

 

gmpriyasha_2-1776435067441.png

 

 

0 Helpfuls
  • 233 Views
1 REPLY 1

Naveen20
ServiceNow Employee

3 weeks ago

The problem here has two issues — one in the ACL script logic itself, and a more fundamental one with the approach.

Bug in the script (line 14): answer = memberGR.next(); calls .next() a second time (after the if on line 13 already consumed the first record). If the user has only one membership record in that group, this returns false. It should be answer = true;.

The real problem — why ALL incidents show up: The itil role has OOB read access on the incident table. ACLs are evaluated with OR logic, so even if your custom ACL returns false, the OOB ACL that checks for itil still passes and grants access. That's why the user sees everything.

The right approach is a Before Query Business Rule, not an ACL, to filter the incident list to only the user's groups:

(function executeRule(current, previous) {

    // Don't restrict admins
    if (gs.hasRole('admin')) return;

    var groups = [];
    var grMember = new GlideRecord('sys_user_grmember');
    grMember.addQuery('user', gs.getUserID());
    grMember.query();
    while (grMember.next()) {
        groups.push(grMember.getValue('group'));
    }

    if (groups.length > 0) {
        // Show incidents assigned to user's groups OR assigned directly to user
        var qc = current.addQuery('assignment_group', 'IN', groups.join(','));
        qc.addOrCondition('assigned_to', gs.getUserID());
        qc.addOrCondition('caller_id', gs.getUserID());
    } else {
        // No group membership — only show user's own incidents
        var qc2 = current.addQuery('assigned_to', gs.getUserID());
        qc2.addOrCondition('caller_id', gs.getUserID());
    }

})(current, previous);

Business Rule configuration: Table = incident, When = Before, with the Query checkbox ticked. Add a condition or role check so it only applies to the non-admin users you want to restrict.

This injects a filter at query time so the user only sees incidents belonging to their group(s), plus their own incidents. It avoids the ACL OR-logic problem entirely.

0 Helpfuls