Restricting record access

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Restricting record access

    This content explains how to restrict user access to records in ServiceNow by using query business rules that run before database queries. It highlights a method to limit record visibility based on user roles and specific field values, helping ensure users only see records they are authorized to access. This approach is customizable and intended for specific use cases; it is provided as-is and not officially supported by Now Support.

    Show full answer Show less

    Restricting Record Access with Query Business Rules

    You can create a before query business rule to restrict access to records dynamically. For example, a default business rule on the Incident table restricts access so that only users with the itil role or users listed in the callerid, openedby, or watchlist fields can see incident records. Self-service users, for instance, can only view incidents they submitted.

    The key logic checks if the user lacks the itil role and is interacting with the UI; if so, the query is limited to records related to that user. This method complements access control lists (ACLs), which can also restrict record visibility.

    Additional Useful Scripts

    • Scheduling Script for Weekdays: A script example to run logic only on weekdays, skipping weekends. This is useful for scheduling automation or business rules that should not operate on Saturday or Sunday.
    • Setting Date Fields Based on Current Day: A function to set a date field to the coming Monday if today is Monday through Wednesday, or to the next Monday if today is Thursday through Sunday. This helps automate date assignments relative to the current day.
    • Date/Time Validation Script: A validation script to ensure user input in date/time fields matches the instance’s date/time format. It prevents invalid date formats and improves data integrity. This script must be updated if the instance’s date/time format changes.

    Practical Benefits for ServiceNow Customers

    • Enables fine-grained control over which records users can query and view, enhancing data security and compliance.
    • Supports custom business rules tailored to your organization’s access policies without relying solely on ACLs.
    • Provides scripting patterns to automate date field settings and conditional script execution based on weekdays, improving workflow efficiency.
    • Includes validation techniques to ensure date/time inputs are correctly formatted, reducing errors and improving user experience.

    Before implementing these customizations, thorough testing in your environment is essential to ensure they meet your access control and business logic requirements.

    You can use a query business rule that executes before the database query to prevent users from accessing certain records.

    Warning:
    The customization described here was developed for use in specific instances, and is not supported by Now Support. This method is provided as-is and should be tested thoroughly before implementation. Post all questions and comments regarding this customization to our community forum.

    Consider the following example from a default business rule that limits access to incident records.

    Table 1. Default business rule limits access to incident records
    Name Table When
    incident query Incident before, query

    Restricting record access

    In the following example, users are restricted from accessing incident records unless they have the itil role and are listed in the Caller or Opened by field. When self-service users open a list of incidents, they can only see the incidents they submitted. 
    if (!gs.hasRole("itil")&& gs.isInteractive()) {
  var u = gs.getUserID();
  var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list","CONTAINS", u);
  gs.print("query restricted to user: " + u);}
    Note:
    You can also use access controls to restrict the records that users can see. For information, see Access Control List Rules.

    Schedule script for weekdays

    Type: Business Rules/Client Scripts.

    This script schedules the script for weekdays. Insert any script where it says "Your Script Here."
    var go ='false';
var now =new Date(); 
 
// Correct time zone, which is by default GMT -7 
now.setHours(now.getHours()+8);
var day = now.getDay(); 
 
// No go on Saturday or Sunday 
if(day !=0&& day !=6){
 
// (your script here)
 
}

    Set date field according to current date

    This script sets a date field depending on the current day of the week. In this example, if the day is Monday through Wednesday, it sets the date to this coming Monday; otherwise it sets the date field to next Monday. 
    function setCabDate(){
var today = new Date();
var thisDay = today.getDay();

//returns 0 for Sunday, 1 for Monday, through 6 for Saturday.
var thisMon = new GlideDateTime();
thisMon.setDisplayValue(gs.beginningOfThisWeek());
var nextMon = thisMon.getNumericValue();
nextMon +=(1000*60*60*24*7);
 
if((thisDay <4)&&(thisDay >0))
  //if today is Mon thru Wed (thisDay = 1, 2, or 3), set cab to this coming Monday.
  current.u_req_cab_rev_date.setDateNumericValue(thisMon.getNumericValue());
else if((thisDay >=4)||(thisDay ==0))
  //if today is Thurs thru Sun (thisDay = 4, 5, 6, or 0), set cab to next Monday.
  current.u_req_cab_rev_date.setDateNumericValue(nextMon);
}

    To validate the input of all date/time fields, you can use the following in a validation script (System Definition > Validation Scripts). Because the date/time format is hard coded in this script, it must match your instance's date/time format. If your instance's date/time format changes, you must update your validation script.

    Set the validation script's type to Date/Time. Then, with this validation script, if a user enters an incorrect format in a date/time field, they receive an error message.
    function validate(value){
// empty fields are still valid dates 
if(!value) 
    return true; 
 
// We "should" have the global date format defined always defined. But there's always that edge case. 
if(typeof g_user_date_time_format !=='undefined')
    return isDate(value, g_user_date_time_format); 
 
// if we don't have that defined, we can always try guessing 
return parseDate(value)!==null;}
    For more information, see Validation script use case - Date and time.