Restricting record access

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Restricting record access

    This content explains how ServiceNow customers can restrict user access to specific records by using query business rules that execute before database queries. This approach enables control over which records users can see based on roles and field values in the records, enhancing data security within the platform. It also includes examples of scripts for scheduling actions on weekdays, setting date fields based on the current day, and validating date/time input formats.

    Show full answer Show less

    Restricting Record Access Using Query Business Rules

    By creating a business rule set to run before query on a table (e.g., Incident), you can limit record visibility. For example, the provided business rule restricts incident record access to users who either have the itil role or are listed in the callerid, openedby, or watchlist fields. This ensures self-service users only see incidents they submitted or are involved with.

    Important: This customization is not officially supported by Now Support and should be thoroughly tested before deployment. For alternative or complementary record restrictions, consider using Access Control List (ACL) rules.

    Scheduling Scripts for Weekdays

    The example script schedules execution of custom logic only on weekdays by checking the current day and excluding Saturday and Sunday. This helps automate processes that should run only during business days.

    Setting Date Fields Based on Current Day

    A sample function sets a date field conditionally: if today is Monday through Wednesday, the field is set to the current week's Monday; if Thursday through Sunday, it is set to next Monday. This facilitates dynamic date assignment aligned with business schedules.

    Date/Time Field Validation

    To ensure proper date/time input, a validation script can be implemented. It checks if the entered value matches the instance’s configured date/time format, returning an error for invalid formats. This script must be updated if the instance’s date/time format changes and should be set with type Date/Time in the validation script configuration.

    Practical Takeaways for ServiceNow Customers

    • Use query business rules to restrict record access dynamically before data retrieval, tailoring visibility by user role and record fields.
    • Test all customizations extensively as they are provided "as-is" without official support.
    • Consider ACL rules as an alternative or complement for access control.
    • Leverage scripting examples to automate weekday-only tasks and set date fields based on business logic.
    • Implement date/time validation scripts to ensure data quality and prevent entry errors in date/time fields.

    You can use a query business rule that executes before the database query to prevent users from accessing certain records.

    Warning:
    The customization described here was developed for use in specific instances, and is not supported by Now Support. This method is provided as-is and should be tested thoroughly before implementation. Post all questions and comments regarding this customization to our community forum.

    Consider the following example from a default business rule that limits access to incident records.

    Table 1. Default business rule limits access to incident records
    Name Table When
    incident query Incident before, query

    Restricting record access

    In the following example, users are restricted from accessing incident records unless they have the itil role and are listed in the Caller or Opened by field. When self-service users open a list of incidents, they can only see the incidents they submitted. 
    if (!gs.hasRole("itil")&& gs.isInteractive()) {
  var u = gs.getUserID();
  var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list","CONTAINS", u);
  gs.print("query restricted to user: " + u);}
    Note:
    You can also use access controls to restrict the records that users can see. For information, see Access Control List Rules.

    Schedule script for weekdays

    Type: Business Rules/Client Scripts.

    This script schedules the script for weekdays. Insert any script where it says "Your Script Here."
    var go ='false';
var now =new Date(); 
 
// Correct time zone, which is by default GMT -7 
now.setHours(now.getHours()+8);
var day = now.getDay(); 
 
// No go on Saturday or Sunday 
if(day !=0&& day !=6){
 
// (your script here)
 
}

    Set date field according to current date

    This script sets a date field depending on the current day of the week. In this example, if the day is Monday through Wednesday, it sets the date to this coming Monday; otherwise it sets the date field to next Monday. 
    function setCabDate(){
var today = new Date();
var thisDay = today.getDay();

//returns 0 for Sunday, 1 for Monday, through 6 for Saturday.
var thisMon = new GlideDateTime();
thisMon.setDisplayValue(gs.beginningOfThisWeek());
var nextMon = thisMon.getNumericValue();
nextMon +=(1000*60*60*24*7);
 
if((thisDay <4)&&(thisDay >0))
  //if today is Mon thru Wed (thisDay = 1, 2, or 3), set cab to this coming Monday.
  current.u_req_cab_rev_date.setDateNumericValue(thisMon.getNumericValue());
else if((thisDay >=4)||(thisDay ==0))
  //if today is Thurs thru Sun (thisDay = 4, 5, 6, or 0), set cab to next Monday.
  current.u_req_cab_rev_date.setDateNumericValue(nextMon);
}

    To validate the input of all date/time fields, you can use the following in a validation script (System Definition > Validation Scripts). Because the date/time format is hard coded in this script, it must match your instance's date/time format. If your instance's date/time format changes, you must update your validation script.

    Set the validation script's type to Date/Time. Then, with this validation script, if a user enters an incorrect format in a date/time field, they receive an error message.
    function validate(value){
// empty fields are still valid dates 
if(!value) 
    return true; 
 
// We "should" have the global date format defined always defined. But there's always that edge case. 
if(typeof g_user_date_time_format !=='undefined')
    return isDate(value, g_user_date_time_format); 
 
// if we don't have that defined, we can always try guessing 
return parseDate(value)!==null;}
    For more information, see Validation script use case - Date and time.