How can I restrict access to add an attachment (sys_attachment) from a scoped application table?

Karina15 · ‎06-10-2020

Let's say I have a record on a scoped application table and when the record is active=false, I shouldn't allow the end-user to upload more attachment (sys_attachment). Since the sys_attachment table is global, and my table belongs to a scoped application I'm having a hard time restricting security on the platform forms.

Any thoughts?

Thanks!

Allen Andreas · ‎06-10-2020

Hi,

From my understanding you'd still need to work with the global ACLs for the attachment table, but where you allow "write", you would need to add script to check the table and if 'x' then query for active is not false, then answer true.

So those write ACLs, where there could be many, if a user passes 1 of those...they get to write attachments. So you'd need to make sure that they don't meet even 1 of those with your conditions.

The alternative way...is to use an onLoad client script maybe and check active there or not, if not, then do:

 g_form.disableAttachments();

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Karina15 · ‎07-06-2020

Hi Allen,

I tried both:

The ACL wouldn't ship with the scoped application because it belongs to Global.
Client script only worked on the native forms but doesn't work on the service portal widgets OOTB. I cloned the form widget to update the condition to show the: <sp-attachment-button></sp-attachment-button>

I also requested an idea for it: https://community.servicenow.com/community?id=view_idea&sysparm_idea_id=84c9449e1b299410d01143f6fe4b...

Thanks for all your help!

Karina

Karina15 · ‎06-10-2020

Thanks Allen!

I will try both suggestions (ACL and client script) and test it both Service Portal and platform and update the post.