Implementing Scripted ACL for Download and Export Restrictions in ServiceNow

Issue Description: A user attempted to download an exported file but was unable to do so. The restriction appears to be applied through a scripted ACL that validates the user's IP address.

Solution:

1. Understanding the Scripted ACL Logic

• The scripted ACL checks a property that contains a list of allowed IP ranges.

• When a user attempts to download a file, the script retrieves the user’s IP via Get Client IP.

• If the IP is within the allowed range, the ACL grants access to the download.

• If the IP is outside the allowed range, access is denied.

2. Implementation Steps

Step 1: Define the Allowed IP Ranges

• Create or update a property in ServiceNow that stores the allowed IP ranges.

• Example property: sys_properties.IP_whitelist

Step 2: Create the Scripted ACL

• Navigate to System Security > Access Control (ACLs).

• Create a new ACL with:

  • Type: Record

  • Operation: Read (or specific operation like download or export)

  • Table: sys_attachment (or relevant table)

  • Script:

(function() {
    var userIP = gs.getSession().getClientIP();
    var allowedIPs = gs.getProperty('sys_properties.IP_whitelist', '');
    
    var ipList = allowedIPs.split(',');
    
    for (var i = 0; i < ipList.length; i++) {
        if (userIP.startsWith(ipList[i].trim())) {
            return true;
        }
    }
    return false;
})();

Step 3: Test the ACL

• Ensure that users within the allowed IP range can download and export attachments.

• Verify that users outside the allowed range are blocked.

3. Troubleshooting

• If a user is unable to download despite being within the allowed IP range:

  • Verify their IP address using Session Debug Log.

  • Check the configured IP whitelist property.

  • Ensure the ACL is applied to the correct table and operation.

• If no restrictions are applied:

  • Ensure the ACL script is correctly configured.

  • Check if there are other ACLs overriding this rule.

Conclusion: By implementing a scripted ACL, ServiceNow administrators can effectively control access to downloads and exports based on IP restrictions. This method ensures secure file access while maintaining a seamless user experience.