- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-13-2017 02:57 AM
Hi folks,
I'm looking to restrict visibility of attachments (specifically on the change_request table, but equally applicable on any other table) by role. Basic premise is that if you don't have a role called change_attachments, you don't get to see attachments on any change record.
I've found this thread which looks like it might work and adjusted the role as per below, but attachments are visible to all users with access to the table (ie, itil users).
Any suggestions to restrict attachments on the change table to only those with this role?
Business Rule
When to run: before (query)
Condition: !gs.hasRole('change_attachments') && (current.table_name == 'change_request')
Script:
function onBefore(current, previous) {
//This function will be automatically called when this rule is processed.
hideAttachments();
function hideAttachments(){
var answer = 'sys_created_by=' + gs.getUserName();
current.addEncodedQuery(answer);
}
}
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-13-2017 03:07 AM
There are ACLs on sys_attachment table you might want to look at them & try restricting attachments from there..may be one of those are kind of overriding the effect of BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-24-2017 06:12 AM
You can look at transaction log for the same & filter on field URL styarts with /sys_attachment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-25-2017 01:54 AM
getAttachmentReadAnswer();
function getAttachmentReadAnswer() {
if (current.table_name.nil())
return true;
// If the attachment is from live feed,
// grant it the read access
if (current.table_name == 'live_profile')
return true;
var parentRecord = new GlideRecord(current.table_name);
if (!parentRecord.isValid())
return true;
if (!parentRecord.get(current.table_sys_id))
return true;
return parentRecord.canRead();
}
}
This is OTB ACL.. Can some one help me understand what it is trying to achieve here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-07-2018 09:10 AM
This script is trying to see if the user trying to read the attachment record
if (current.table_name.nil())
return true;
#1 The above part is trying to see if the attachment being read belongs to some table or not, if not then system is letting user read it
// If the attachment is from live feed,
// grant it the read access
if (current.table_name == 'live_profile')
return true;
#2 This piece of code is letting user read attachment if it is from live feed
var parentRecord = new GlideRecord(current.table_name);
if (!parentRecord.isValid())
return true;
#3 This part of script is trying to see if the table corresponding to attachment being read is valid or not if not then it is just letting user read the attachment. Almost same as #1 above
if (!parentRecord.get(current.table_sys_id))
return true;
#4 This part is just checking the validity of record to which the attachment being read belongs to. If it is not present system is just letting user read the attachment
return parentRecord.canRead();
#5 if none of the above conditions are met system is just letting user read the attachment if user has read access to the record attachment belongs to
