The CreatorCon Call for Content is officially open! Get started here.

Restrict attachment visibility based on role

Go to solution
adam_seeber1
Kilo Contributor

‎02-13-2017 02:57 AM

Hi folks,

I'm looking to restrict visibility of attachments (specifically on the change_request table, but equally applicable on any other table) by role. Basic premise is that if you don't have a role called change_attachments, you don't get to see attachments on any change record.

I've found this thread which looks like it might work and adjusted the role as per below, but attachments are visible to all users with access to the table (ie, itil users).

Any suggestions to restrict attachments on the change table to only those with this role?

Business Rule

When to run: before (query)

Condition: !gs.hasRole('change_attachments') && (current.table_name == 'change_request')

Script:

function onBefore(current, previous) {

    //This function will be automatically called when this rule is processed.

hideAttachments();  

 

function hideAttachments(){  

        var answer = 'sys_created_by=' + gs.getUserName();  

        current.addEncodedQuery(answer);  

}

}

0 Helpfuls
  • 11,828 Views
1 ACCEPTED SOLUTION

Go to solution
Sumit Maniktala
Kilo Expert
In response to adam_seeber1

‎02-13-2017 03:07 AM

There are ACLs on sys_attachment table you might want to look at them & try restricting attachments from there..may be one of those are kind of overriding the effect of BR


View solution in original post

0 Helpfuls
17 REPLIES 17

Go to solution
Ashish Kathait
Tera Contributor
In response to Ankur Bawiskar

‎04-12-2021 10:03 PM

@Ankur Bawiskar Thanks for correct answer. 

 

I am looking to insert above code in OOTB script so it wont impact OOTB funionality. Can you help me in that.

OOTB Script is 

answer = getDVAttachmentReadAnswer();

function getDVAttachmentReadAnswer() {
if (current.table_name == 'sys_document_viewer_status') {
var statusGr = new GlideRecord('sys_document_viewer_status');
statusGr.get(current.table_sys_id);
if (statusGr.isValid()) {
var parentAttachmentGr = new GlideRecord('sys_attachment');
parentAttachmentGr.get(statusGr.attachment_id);
if (parentAttachmentGr.isValid())
return parentAttachmentGr.canRead();
else
return false;
} else
return false;
}
return false;
}

 

 

Custom script as per your code is

 

if (current.table_name == 'change_request' && gs.hasRole('change_attachments')){
return true;
} else
return false;
}

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ashish Kathait

‎04-15-2021 12:08 AM

Hi,

so after adding above any issue faced?

something not working as expected

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
shloke04
Kilo Patron

‎02-13-2017 04:00 AM

Hi Adam,



You need to modfy the OOB ACL on the sys_attachment table for the same. below is the link for the same:


https://instance.service-now.com/sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e02590038464&sysparm...



Replace "instance" with your instance name and Mention the Role in the Role Criteria on the ACL form to whom you want the Attachments to be visible to. below is a screen shot for the same:



Attachment ACL.png



Hope this helps. Mark the answer as correct/helpful based on impact.



Regards,


Shloke


Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke
Preview file
67 KB

Go to solution
Abhinay Erra
Giga Sage

‎02-13-2017 08:11 AM

You will need to modify the existing read ACL on the sys_attachment table. Can you post the read ACL script on the sys_attachment table here


Go to solution
BhupeshG
Tera Guru
In response to Abhinay Erra

‎10-24-2017 02:50 AM

was if it is possible to check who was accessing the attachment table in last 30 days?


0 Helpfuls