Hide Attachments for a Specific Assignment Group in a Catalog Item Request
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-07-2025 01:07 AM
In our ServiceNow instance, we have a specific catalog item configured such that, upon submission, two tasks are generated for the associated RITM: The first task is assigned to the ABC Access Group. The second task is assigned to the CAS Access Group. When the request is submitted, any attachment added to the RITM is automatically copied to both SC Tasks. However, we need to implement a restriction for this catalog item such that: Members of the CAS Access Group should not be able to view the attachments on either the SC Task or the RITM. If the task is reassigned to any other group, members of the reassigned group should gain visibility of the attachments on both the SC Task and the RITM.
The requirement is for specific catalog item where CAS Access Group is a SC Task assignment group. Please help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-07-2025 01:20 AM
Hello @sujan0119,
Please try below steps:
1. Create a Script Include for Attachment Visibility Logic
This Script Include will centralize logic to check if the current user should see attachments.
var AttachmentVisibilityChecker = Class.create();
AttachmentVisibilityChecker.prototype = {
initialize: function() {},
canViewAttachments: function(gr) {
// Only apply to specific catalog item
if (gr.cat_item && gr.cat_item.getDisplayValue() != 'Your Catalog Item Name') {
return true;
}
// Check if user is in CAS Access Group
var userGr = new GlideRecord('sys_user_grmember');
userGr.addQuery('group.name', 'CAS Access Group');
userGr.addQuery('user', gs.getUserID());
userGr.query();
var isInCAS = userGr.hasNext();
// Check assignment group
var currentGroup = gr.assignment_group.getDisplayValue();
if (isInCAS && currentGroup == 'CAS Access Group') {
return false;
}
return true;
},
type: 'AttachmentVisibilityChecker'
};
2. Access Control Rule on sys_attachment
Create an ACL on the sys_attachment table or via a related list ACL, targeting attachments on RITMs (sc_req_item) and tasks (sc_task):
Table: sys_attachment
Condition: Type Advanced
Script:
(function() {
var parent = current.getTableName();
var record = new GlideRecord(parent);
if (record.get(current.table_sys_id)) {
var checker = new AttachmentVisibilityChecker();
return checker.canViewAttachments(record);
}
return true; // default allow if check fails
})();
Please check also if the users from the group can see attachments on different records. If so, you would need to adjust the Script Include function so that it only returns false for your defined task/ritm (By checking short_description as an exampl)
If you found this helpful, please hit the thumbs-up button and mark as correct. That helps others find their solutions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-20-2025 09:24 AM
I tried the exact thing but it's not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-20-2025 01:05 AM
Were you able to resolve this? @sujan0119
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-20-2025 09:35 AM
Hi @sujan0119 ,
To meet this requirement in ServiceNow, you'll need to implement a custom access control mechanism that dynamically restricts attachment visibility based on:
- Catalog Item (specific one).
- Assignment Group of the SC Task (specifically CAS Access Group).
- Whether the viewer belongs to the CAS Access Group or not.
You can use Access Control Rules (ACLs) and a Scripted ACL on the Attachment [sys_attachment] table to prevent CAS group users from accessing attachments on:
- the RITM
- the SC Task
Only for the specific Catalog Item, and only when Assignment Group = CAS Access Group.
Please follow steps :
Step 1: Create a Scripted ACL on sys_attachment
Table: sys_attachment
Operation: read
Script:
(function() {
// Allow admins
if (gs.hasRole('admin')) {
return true;
}
var user = gs.getUser();
var userId = user.getID();
// Get the table and record the attachment belongs to
var tableName = current.table_name;
var recordSysId = current.table_sys_id;
// Only apply restriction to 'sc_task' and 'sc_req_item' attachments
if (tableName !== 'sc_task' && tableName !== 'sc_req_item') {
return true;
}
var parentGR = new GlideRecord(tableName);
if (!parentGR.get(recordSysId)) {
return true;
}
// Get the RITM from SC Task if necessary
var ritmGR;
if (tableName === 'sc_task') {
ritmGR = parentGR.request_item.getRefRecord();
} else {
ritmGR = parentGR;
}
// Check if the RITM is from the specific Catalog Item
if (!ritmGR || ritmGR.cat_item.name !== 'your_catalog_item_sys_name_here') {
return true; // Not our targeted catalog item
}
// Now check if the user is in the CAS group and this is a CAS-assigned task
var casGroup = new GlideRecord('sys_user_group');
casGroup.addQuery('name', 'CAS Access Group');
casGroup.query();
if (!casGroup.next()) {
return true; // CAS group not found, allow access
}
var casGroupSysId = casGroup.sys_id.toString();
// If it's an SC Task, check assignment group
if (tableName === 'sc_task') {
if (parentGR.assignment_group == casGroupSysId && user.isMemberOf(casGroupSysId)) {
return false; // Restrict CAS users from seeing attachments
}
}
// If it's the RITM, check if any active SC Task assigned to CAS group exists
if (tableName === 'sc_req_item') {
var taskGR = new GlideRecord('sc_task');
taskGR.addQuery('request_item', parentGR.sys_id);
taskGR.addQuery('assignment_group', casGroupSysId);
taskGR.query();
while (taskGR.next()) {
if (user.isMemberOf(casGroupSysId)) {
return false; // Restrict CAS users from RITM attachments
}
}
}
return true; // Default allow
})();
Step 2: Validate Group Membership
Make sure your CAS Access Group is set up properly, and the name used in the script exactly matches.
Step 3: Test Scenarios
- User in CAS Access Group:
- Assigned task: should not see attachments on SC Task or RITM.
- Reassigned task: should gain access if they're in the new group (and script allows it).
- User in another group:
- Should see attachments once the task is reassigned.
Thanks and Regards,
Chiranjeevi R
Please mark as Correct Answer/Helpful, if applicable.
Chiranjeevi
ServiceNow Developer | | ITSM | | ServiceNow Discovery | | Event Management | | Service Mapping | | CMDB
Please mark as Correct Answer/Helpful, if applicable.