Allowing a role to add attachments to a record but not edit any fields on that table

Erik Stuer · ‎05-23-2024

I have a custom role that contains the continuous authorization and monitoring Executive Reader role (grants read access with a table.none acl - can read any record across the different tables in the CAM suite). The new role is used so that users can, in addition to the Executive Reader role's permissions, edit certain fields on the Authorization Package and add attachments to both the Authorization Boundary and Authorization Package. The only part I am still trying to get to work, is allowing this role to add attachments to the Authorization Boundary. The ACL allowing them to edit certain fields on the package is allowing attachments there. I have tried making a table.none create ACL on the sys_attachment table with the following script condition:
(function() {
// Check if the attachment is for the sn_irm_cont_auth_authorization_boundary table
return current.table_name == 'sn_irm_cont_auth_authorization_boundary';
})();
This did not work. I used this script as it is the same from some oob ones used.
Any help would be greatly appreciated!

Maik Skoddow · ‎05-23-2024

No need to change any OOTB ACL for the sys_attachment table. For the answer please refer to https://www.servicenow.com/community/developer-forum/allow-adding-attachments-to-form-but-restrict-w...

Erik Stuer · ‎05-28-2024

This would work. But I am worried about the technical debt involved in this solution. You would have to update the new table.* ACL every time you wanted to add a new role with write permissions. And you'd have to incorporate all of the table.none ACL requirements into the table.* ACL.