Restrict the ability to write to a record based on an assignment group

You can restrict write/read rights on records based on membership to an assigned group. Modify conditions and script based on specific requirements.

Before you begin

Role required: security_admin (elevated role from admin)
Note: This action is performed in the Vulnerability scope.


  1. Navigate to System Security > Access Control (ACL).
  2. Search for ACLs that start with sn_vul.
  3. Choose an Access Control record, for example, sn_vul_vulnerable_item, Operation write.
  4. Check the Advanced box in the record, if necessary, to display the Role entries.
  5. Modify the Role script for your requirements.
    Script Example of modifying access by group.
    answer = (current.assigned_to == gs.getUserID() || isMemberOfForScopedApp(current.assignment_group));
    // Note: standard 'isMemberOf' does not work within Scoped App
    // gs.getUser().isMemberOf(current.assignment_group);
    function isMemberOfForScopedApp(groupID){
    var result = false;
    if (groupID != ''){
    var userID = gs.getUserID();
    var gr = new GlideRecord("sys_user_grmember");
    gr.addQuery("group", groupID);
    gr.addQuery("user", userID);
    if ({
    result = true;
    return result;
  6. Click Update.