Help with Deny Unless ACL to hide attachments

Go to solution
Marcel H_
Tera Guru

‎01-24-2025 02:52 PM

I am having some trouble getting a Deny Unless ACL working to hide attachments in the header of records on a specific table.

 

I have a table named u_contacts that already has ACLs to restrict visibility of records based on group membership using the following script:

answer = false;

var groupList = current.u_share_with_group.toString();

var group = new GlideRecord("sys_user_group");
group.addQuery("sys_idIN" + groupList);
group.query();

while (group.next()) {
    if (gs.getUser().isMemberOf(group.name.toString())) {
        answer = true;
    }
}

 

This is working as expected in an Allow If ACL, however what I need to do it hide any attachments on the record as well if this ACL fails. I had no luck using various Allow If configurations, and was only able to hide attachments by putting a Deny Unless ACL on the sys_attachment table.

 

This hides read for all attachments system wide though, and I can't seem to figure out the best way to target attachments only on the u_contacts table.

 

I think that what I need to do is the following, but can't seem to get it working quite right:

Table = sys_attachment

User has role snc_internal

Applies to attachments with table_name = u_contacts

User is a member of a group listed in the u_share_with_group field on the current record on u_contacts

 

0 Helpfuls
  • 2,144 Views
2 ACCEPTED SOLUTIONS

Go to solution
Marcel H_
Tera Guru

‎01-24-2025 05:03 PM

I was able to get this working with the following script in a Deny Unless ACL

// Default to deny access
answer = false;

if (
    current.getValue('table_name') === 'u_contacts' ) 
{
    // Get the sys_id of the parent record
    var parentSysId = current.getValue('table_sys_id');

    // Query the parent table to get the group list
    var parentRecord = new GlideRecord(current.getValue('table_name'));
    if (parentRecord.get(parentSysId)) {
        var groupList = parentRecord.u_share_with_group.toString();

        // Check if groupList has any values
        if (groupList) {
            // Retrieve the user's group membership
            var userGroupIds = [];
            var userGroups = new GlideRecord('sys_user_grmember');
            userGroups.addQuery('user', gs.getUserID());
            userGroups.query();

            while (userGroups.next()) {
                userGroupIds.push(userGroups.group.toString());
            }

            // Check if the user is a member of any of the required groups
            var requiredGroups = groupList.split(',');
            for (var i = 0; i < requiredGroups.length; i++) {
                if (userGroupIds.includes(requiredGroups[i])) {
                    answer = true; // Allow access
                    break;
                }
            }
        }
    }
} else {
    // Allow attachments on other tables
    answer = true;
}

View solution in original post

0 Helpfuls

Go to solution
Sheldon  Swift
ServiceNow Employee
In response to Marcel H_

‎01-24-2025 06:04 PM

Hi @Marcel H_ - This might be more efficient...

// Default to deny access
answer = false;

if (current.getValue('table_name') === 'u_contacts') {
    // Get the sys_id of the parent record
    var parentSysId = current.getValue('table_sys_id');

    // Query the parent table to get the group list
    var parentRecord = new GlideRecord('u_contacts');
    if (parentRecord.get(parentSysId)) {
        var groupList = parentRecord.u_share_with_group.toString();

        if (groupList) {
            // Query user groups and check for membership
            var userGroups = new GlideRecord('sys_user_grmember');
            userGroups.addQuery('user', gs.getUserID());
            userGroups.addQuery('group.sys_id', 'IN', groupList); // Filter directly by required groups
            userGroups.query();

            // If any match is found, allow access
            if (userGroups.hasNext()) {
                answer = true;
            }
        }
    }
} else {
    // Allow attachments on other tables
    answer = true;
}

Instead of collecting the user's group memberships into an array and comparing manually, the addQuery('group.sys_id', 'IN', groupList) directly filters user groups against the u_share_with_group values.

View solution in original post

3 REPLIES 3

Go to solution
Marcel H_
Tera Guru

‎01-24-2025 05:03 PM

I was able to get this working with the following script in a Deny Unless ACL

// Default to deny access
answer = false;

if (
    current.getValue('table_name') === 'u_contacts' ) 
{
    // Get the sys_id of the parent record
    var parentSysId = current.getValue('table_sys_id');

    // Query the parent table to get the group list
    var parentRecord = new GlideRecord(current.getValue('table_name'));
    if (parentRecord.get(parentSysId)) {
        var groupList = parentRecord.u_share_with_group.toString();

        // Check if groupList has any values
        if (groupList) {
            // Retrieve the user's group membership
            var userGroupIds = [];
            var userGroups = new GlideRecord('sys_user_grmember');
            userGroups.addQuery('user', gs.getUserID());
            userGroups.query();

            while (userGroups.next()) {
                userGroupIds.push(userGroups.group.toString());
            }

            // Check if the user is a member of any of the required groups
            var requiredGroups = groupList.split(',');
            for (var i = 0; i < requiredGroups.length; i++) {
                if (userGroupIds.includes(requiredGroups[i])) {
                    answer = true; // Allow access
                    break;
                }
            }
        }
    }
} else {
    // Allow attachments on other tables
    answer = true;
}
0 Helpfuls

Go to solution
Sheldon  Swift
ServiceNow Employee
In response to Marcel H_

‎01-24-2025 06:04 PM

Hi @Marcel H_ - This might be more efficient...

// Default to deny access
answer = false;

if (current.getValue('table_name') === 'u_contacts') {
    // Get the sys_id of the parent record
    var parentSysId = current.getValue('table_sys_id');

    // Query the parent table to get the group list
    var parentRecord = new GlideRecord('u_contacts');
    if (parentRecord.get(parentSysId)) {
        var groupList = parentRecord.u_share_with_group.toString();

        if (groupList) {
            // Query user groups and check for membership
            var userGroups = new GlideRecord('sys_user_grmember');
            userGroups.addQuery('user', gs.getUserID());
            userGroups.addQuery('group.sys_id', 'IN', groupList); // Filter directly by required groups
            userGroups.query();

            // If any match is found, allow access
            if (userGroups.hasNext()) {
                answer = true;
            }
        }
    }
} else {
    // Allow attachments on other tables
    answer = true;
}

Instead of collecting the user's group memberships into an array and comparing manually, the addQuery('group.sys_id', 'IN', groupList) directly filters user groups against the u_share_with_group values.

Go to solution
MJN
Tera Contributor
In response to Sheldon  Swift

3 weeks ago

If you put the "answer = true" in the else logic in "Deny Unless" ACL, will it skip all the "allow if" acl's and provide the access on other tables or it will just skip this ACL and again execute the "allow if" ACL's?

 

0 Helpfuls