Can an external user access sys_user.email

MS12 · ‎12-08-2022

So this scenario is a bit complex, please bear with me.

We have domain separated instance,

1. a contact logs in - they have roles - snc_external, sn_customerservice.customer, sn_customerservice.customer_case_manager and some other roles as well.

2. They create a new case request from customer portal.

3. We have provided a free text field where they can enter an employee's email address to add them to the watchlist.

4. Once they hit submit, in the case form view, there is a watchlist field that comes up as null since it doesn't let them view an employee's email

(We have tried different options like adding a new column on case table to populate watchlist thinking this might show the watchlist field on the case form for the contact but no luck)

5. If there's any other customer contact mentioned in the watchlist they can see that.

But employees never show up. Script logs show that employee email is an issue since the list of sys_ids etc has all the users mentioned but once the while loop starts picking the email, it doesn't log anything for an employee.

Tried opening up the read ACLs for sys_user table at email column and row level to include the roles mentioned above. But no luck! At this point I'm not sure if it is a domain separation or ACL issue.

Any help is appreciated.

MS12 · ‎12-13-2022

Thank you for your response.

To answer your question,

your post doesn't indicate if the watch list was correctly updated IE that the client user was able to add an internal user to the watch list (just not see the record) and that these watch list records can be seen by an internal user?

Ans: So we have added a free text field on the catalog item to add an internal user by adding their exact email address. So they must know the internal contact's email address to be able to do that. So in the fulfiller side, the watchlist displays the internal contact but on portal side it hides the person from watchlist.

We added a free text column(u_watchlist) to the case table to expose watchlist users on the portal case form. This field stores the watchlist of both internal and external users.

So I figured out it was a domain issue, all the users in sys_user table belongs to TOP domain and portal users cannot access data that is in the TOP domain.

1. If I set domain override to true for that user record and change domain to Global, watchlist will display internal user on the portal side as well. But this has to be done on a user by user bases.

2. Another solution is to run a business rule on the global scope in async mode and impersonate admin to run the rule. This BR will populate the u_watchlist field and also display it correctly on the portal.

View solution in original post

Tony Chatfield1 · ‎12-08-2022

Hi, your post doesn't indicate if the watch list was correctly updated IE that the client user was able to add an internal user to the watch list (just not see the record) and that these watch list records can be seen by an internal user?

I would imagine that your internal users are not in the same domain as the client user and so even if ACL's are configured to allow access, the end user is not able to see the user records because of domain separation. Can they see other record reference data that is not in their domain?
OOB system property 'glide.sys.domain.use_record_domain_for_data' is true and that may be preventing visibility of reference data.

Domain system properties and user preferences (servicenow.com)

If the watch list is not getting populated? how are you mapping the free text into the watch list?
Assuming it's a GlideQuery on sys_user to match email, have you tried using queryNoDomain() method

https://developer.servicenow.com/dev.do#!/reference/api/tokyo/server_legacy/c_GlideRecordAPI#r_Glide...?

One simple fix (assumes the watch list is being populated correctly) might just be a text field where you map details of the watchlist, so the end user can see the text.

MS12 · ‎12-13-2022