Attachment encryption from Inbound Email
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2022 08:52 AM - edited 11-09-2022 02:00 AM
Hi everyone,
I have an ask if we could encrypt an attachment containing sensitive data sent from an email to the instance. From OOB, I can see when a record is created from the Inbound Email Action (such as Create Incident) and attachment is associated with the email, the attachment is not encrypted from that email sending in.
Is there a way to implement this functionality or is it not supported yet?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2023 05:47 AM
Struggling with this myself.
1. Business Rule on Attachment table
2. Scripted REST API gets called
3. REST API runs as local user with role having Encryption Context/Module Access Policy
4. Script Include prior to UTAH:
var sysAttachment = new GlideSysAttachment();
sysAttachment.changeEncryptionContext(attachmentGR.getValue("table_name"), attachmentGR.getValue("table_sys_id"), attachmentGR.sys_id, context);
5. That is not going to work after Utah, so trying API: GlideSysAttachment - Global (servicenow.com)
The problem I am facing is that for an inbound action, the attachment record persists to the DB first, then the record (e.g. incident). The API needs a glide record, but since it is not created yet, it is null, and get org.mozilla.javascript.NativeArr error.
Example;
//Source: https://docs.servicenow.com/bundle/utah-api-reference/page/app-store/dev_portal/API_reference/GlideSysAttachmentGlobal/concept/GlideSysAttachmentGlobalAPI.html
function copyAttachmentToGlideRecord(conceptSysId) {
// Get record from test_table using sys_id
var targetGlideRecord = new GlideRecord("test_table");
if (!targetGlideRecord.get(conceptSysId)) {
throw ("Cannot find record created by test with sys_id: " + conceptSysId);
}
// Get record from sys_attachment table
var sourceAttachmentGlideRecord = new GlideRecord('sys_attachment');
sourceAttachmentGlideRecord.query();
sourceAttachmentGlideRecord.next();
// Get field values from retrieved sys_attachment record
var fileName = sourceAttachmentGlideRecord.getValue('file_name');
var contentType = sourceAttachmentGlideRecord.getValue('content_type');
var sourceAttachmentSysId = sourceAttachmentGlideRecord.getValue('sys_id');
// Attach sys_attachment record content stream to test_table record
var gsa = new GlideSysAttachment();
gsa.writeContentStream(
targetGlideRecord,
fileName,
contentType,
gsa.getContentStream(sourceAttachmentSysId));
gs.info("Attachment created");
}
The idea is to read what was saved on sys_attachment, then write it back as a non-system user so that attachment encryption happens.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2023 06:03 AM
Hello Jeff,
Thank you for your suggestion after such a long time.
I was struggling to find a way to implement back then when customer instance was prior to Utah and it was using the Encryption Module (by utilizing a context key). Since the Inbound Email is not considered as interactive session, so a context key could not be passed. It requires an interactive session to generate one. In the end, they came up with another approach by using API call at that time.
I'm really appreciated.
Thanks,
Hao
