To address this issue, where users from customer A can attach tickets from customer B to the related list or related records, you can implement domain separation and set proper access controls in ServiceNow.

Here’s a solution:

• Domain Separation: Ensure that domain separation is correctly configured. ServiceNow provides domain separation to keep data segregated by customer. This helps restrict access to data across different customers.

  • Check domain settings: Ensure that each customer is assigned to their respective domains (Customer A in Domain A, Customer B in Domain B).
  • Restrict domain data sharing: Make sure data sharing is restricted between domains, unless explicitly allowed.

• Access Control Rules (ACLs): You should create or update ACLs for the related records or related list table (such as the task table for incidents, problems, etc.) to restrict access between domains.

  • For example, on the [task] table, create ACLs to ensure that records from one domain (Customer A) cannot view or interact with records from another domain (Customer B).
  • The ACL should include conditions to check if the record belongs to the same domain as the current user's domain.
  • Condition: current.domain != gs.getUser().getDomainID()
    Script: gs.addErrorMessage("You are not authorized to view or link records from other domains.");
    answer = false;

• Related Lists Configuration: Ensure the related list configuration only shows records relevant to the current domain. You can control this by setting domain filters in related lists.

• Cross-scope access (If applicable): If cross-domain scripting or scoped apps are being used, make sure cross-scope access is restricted by properly configuring permissions between the two scopes.

Validation is important:

• Test with users from both domains to ensure that Customer A users cannot see or attach Customer B’s records and vice versa.
• Validate that the issue is resolved across different user roles and domains.