Hide Attachments for a Specific Assignment Group in a Catalog Item Request

sujan0119
Tera Expert

In our ServiceNow instance, we have a specific catalog item configured such that, upon submission, two tasks are generated for the associated RITM: The first task is assigned to the ABC Access Group. The second task is assigned to the CAS Access Group. When the request is submitted, any attachment added to the RITM is automatically copied to both SC Tasks. However, we need to implement a restriction for this catalog item such that: Members of the CAS Access Group should not be able to view the attachments on either the SC Task or the RITM. If the task is reassigned to any other group, members of the reassigned group should gain visibility of the attachments on both the SC Task and the RITM.

The requirement is for specific catalog item where CAS Access Group is a SC Task assignment group. Please help!

5 REPLIES 5

Medi C
Giga Sage

Hello @sujan0119,

 

Please try below steps:

1. Create a Script Include for Attachment Visibility Logic

This Script Include will centralize logic to check if the current user should see attachments.

var AttachmentVisibilityChecker = Class.create();
AttachmentVisibilityChecker.prototype = {
    initialize: function() {},

    canViewAttachments: function(gr) {
        // Only apply to specific catalog item
        if (gr.cat_item && gr.cat_item.getDisplayValue() != 'Your Catalog Item Name') {
            return true;
        }

        // Check if user is in CAS Access Group
        var userGr = new GlideRecord('sys_user_grmember');
        userGr.addQuery('group.name', 'CAS Access Group');
        userGr.addQuery('user', gs.getUserID());
        userGr.query();
        var isInCAS = userGr.hasNext();

        // Check assignment group
        var currentGroup = gr.assignment_group.getDisplayValue();

        if (isInCAS && currentGroup == 'CAS Access Group') {
            return false;
        }
        return true;
    },

    type: 'AttachmentVisibilityChecker'
};

 

2. Access Control Rule on sys_attachment

Create an ACL on the sys_attachment table or via a related list ACL, targeting attachments on RITMs (sc_req_item) and tasks (sc_task):

  • Table: sys_attachment

  • Condition: Type Advanced

  • Script:

(function() {
    var parent = current.getTableName();
    var record = new GlideRecord(parent);
    if (record.get(current.table_sys_id)) {
        var checker = new AttachmentVisibilityChecker();
        return checker.canViewAttachments(record);
    }
    return true; // default allow if check fails
})();

 

Please check also if the users from the group can see attachments on different records. If so, you would need to adjust the Script Include function so that it only returns false for your defined task/ritm (By checking short_description as an exampl)


If you found this helpful, please hit the thumbs-up button and mark as correct. That helps others find their solutions.

I tried the exact thing but it's not working

FathimuthuB
Tera Contributor

Were you able to resolve this? @sujan0119

 

ChiranjeeviR
Kilo Sage

Hi @sujan0119 ,

 

To meet this requirement in ServiceNow, you'll need to implement a custom access control mechanism that dynamically restricts attachment visibility based on:

  1. Catalog Item (specific one).
  2. Assignment Group of the SC Task (specifically CAS Access Group).
  3. Whether the viewer belongs to the CAS Access Group or not.

You can use Access Control Rules (ACLs) and a Scripted ACL on the Attachment [sys_attachment] table to prevent CAS group users from accessing attachments on:

  • the RITM
  • the SC Task

Only for the specific Catalog Item, and only when Assignment Group = CAS Access Group.

 

Please follow steps :

 

Step 1: Create a Scripted ACL on sys_attachment

Table: sys_attachment

Operation: read

Script:

(function() {
    // Allow admins
    if (gs.hasRole('admin')) {
        return true;
    }

    var user = gs.getUser();
    var userId = user.getID();

    // Get the table and record the attachment belongs to
    var tableName = current.table_name;
    var recordSysId = current.table_sys_id;

    // Only apply restriction to 'sc_task' and 'sc_req_item' attachments
    if (tableName !== 'sc_task' && tableName !== 'sc_req_item') {
        return true;
    }

    var parentGR = new GlideRecord(tableName);
    if (!parentGR.get(recordSysId)) {
        return true;
    }

    // Get the RITM from SC Task if necessary
    var ritmGR;
    if (tableName === 'sc_task') {
        ritmGR = parentGR.request_item.getRefRecord();
    } else {
        ritmGR = parentGR;
    }

    // Check if the RITM is from the specific Catalog Item
    if (!ritmGR || ritmGR.cat_item.name !== 'your_catalog_item_sys_name_here') {
        return true; // Not our targeted catalog item
    }

    // Now check if the user is in the CAS group and this is a CAS-assigned task
    var casGroup = new GlideRecord('sys_user_group');
    casGroup.addQuery('name', 'CAS Access Group');
    casGroup.query();
    if (!casGroup.next()) {
        return true; // CAS group not found, allow access
    }

    var casGroupSysId = casGroup.sys_id.toString();

    // If it's an SC Task, check assignment group
    if (tableName === 'sc_task') {
        if (parentGR.assignment_group == casGroupSysId && user.isMemberOf(casGroupSysId)) {
            return false; // Restrict CAS users from seeing attachments
        }
    }

    // If it's the RITM, check if any active SC Task assigned to CAS group exists
    if (tableName === 'sc_req_item') {
        var taskGR = new GlideRecord('sc_task');
        taskGR.addQuery('request_item', parentGR.sys_id);
        taskGR.addQuery('assignment_group', casGroupSysId);
        taskGR.query();
        while (taskGR.next()) {
            if (user.isMemberOf(casGroupSysId)) {
                return false; // Restrict CAS users from RITM attachments
            }
        }
    }

    return true; // Default allow
})();

Step 2: Validate Group Membership

Make sure your CAS Access Group is set up properly, and the name used in the script exactly matches.

 

Step 3: Test Scenarios

  1. User in CAS Access Group:
    • Assigned task: should not see attachments on SC Task or RITM.
    • Reassigned task: should gain access if they're in the new group (and script allows it).
  2. User in another group:
    • Should see attachments once the task is reassigned.

Thanks and Regards,

Chiranjeevi R

Please mark as Correct Answer/Helpful, if applicable.

Thanks & Regards,
Chiranjeevi
ServiceNow Developer | | ITSM | | ServiceNow Discovery | | Event Management | | Service Mapping | | CMDB

Please mark as Correct Answer/Helpful, if applicable.