Hide internal attachments from ESS users

David Morden · ‎01-03-2018

We previously used the business rule below to hide internal attachments on incidents from end users (ESS users). However, it is also blocking those users from viewing images in KB articles, which makes sense due to those images being embedded attachments from the sys_attachment table. I've tried numerous iterations of adding "Table name" filters to the "When to run" tab, and trying various forms of adding the table name condition to the script. None of these have worked.

Can anyone help me to update the BR to apply only to the incidents table when viewing attachments?

**Note: there are currently no filters set on the When to run tab, and the attachments are hidden from ESS users everywhere, unless they added the attachment.

David Morden · ‎01-04-2018

I was finally able to get this working through some input from my new counterpart, thanks Derek Young! Below is the approach that works.

View solution in original post

sachin_namjoshi · ‎01-03-2018

You will be able to achieve it by creating read acls on sys_attachment table. It will be role based, if you want to give all internal users read access to attachment. Use internal role and make your clients external.

Check if removing external role from this OOB acl will help:

https://<your_instance>.service-now.com/sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e02590038464

Regards,

Sachin

David Morden · ‎01-03-2018

Unfortunately this returns the same result as the business rule.

Any other thoughts?

David Morden · ‎01-04-2018

I was finally able to get this working through some input from my new counterpart, thanks Derek Young! Below is the approach that works.

Brian Lancaster · ‎04-04-2018

What is your when to run?