Restricting attachment access in BR based on group membership

Josh Banks · ‎02-26-2024

Hello,

We have a business need to restrict user access to see specific types of requested items. Only users who are members of a particular group should be able to see that type of requested item. We have a business rule in place that successfully prevents users from seeing such entries in the sc_req_item table when they access the list view of the table; we also need something similar for the sys_attachment table, to prevent users from being able to see the documents attached to such requests.

The problem (I think) lies in the fact that the sys_attachment table doesn't have reference fields like most other tables, and in fact only has a limited number of fields to work with at all. The main point of reference appears to be the "table_sys_id" column. So in order to limit the rows returned in the list view of the sys_attachment table, I am trying to write a BR that includes a query of the sc_req_item table, to get the sys_ids of the requests of the specific restricted type. (Basing this on the sys_id of the associated Catalog Item.)

Below is what I have so far in the BR on sys_attachment; this does not work. I've used log statements to verify that I am assembling an accurate comma-delimited string of sys_ids of the requested items, but the encoded query is not working. Any help or suggestions on this, including whether or not this would be the correct approach to set up this restriction, would be most appreciated.

-----------------------

restrictIt();

function restrictIt(){

var excludeThese = "";

var excludeCounter = 0;

var gr = new GlideRecord('sc_req_item');

gr.addQuery('cat_item','=','2be341b147b4d910ab642c73636d43c7');

gr.query();

while(gr.next()){

if(excludeCounter > 0){

excludeThese = excludeThese + ",";

}

excludeThese = excludeThese + gr.sys_id.getValue();

excludeCounter++;

}

var fullEncodedQuery = "'" + "table_sys_idNOT IN" + excludeThese + "'";

if (!gs.hasRole('admin') && gs.getSession().isInteractive()) {

if (!gs.getUser().isMemberOf('Our Very Special Group')) {

current.addEncodedQuery(fullEncodedQuery);

}

Amit Verma · ‎02-26-2024

Hi @Josh Banks

Below links could be helpful :

https://www.servicenow.com/community/itsm-forum/is-there-a-way-to-restrict-the-attachment-on-ritm-to...

https://www.servicenow.com/community/itsm-forum/how-to-restrict-ritm-records-to-be-visible-only-to-s...

Thanks & Regards

Amit Verma

Please mark this response as correct and helpful if it assisted you with your question.

Josh Banks · ‎02-27-2024

Thank you for your suggestions. Adding a new ACL to the sys_attachment table as per the first link did not solve the issue.

The second link suggests the same, as well as additionally updating all existing read ACLs on the table to account for a custom role. We are not using any custom roles with the group in question, and the only read ACLs on the table are OOB read ACLs from ServiceNow, which I do not want to edit.

Anand Kumar P · ‎02-26-2024

Hi @Josh Banks ,

Try below script

restrictIt();
function restrictIt() {
var excludeThese = [];
var gr = new GlideRecord('sc_req_item');
gr.addQuery('cat_item', '2be341b147b4d910ab642c73636d43c7');
gr.query();
while (gr.next()) {
excludeThese.push(gr.sys_id.getValue());
}
var fullEncodedQuery = 'table_sys_idNOT IN' + excludeThese.join(',');
if (!gs.hasRole('admin') && gs.getSession().isInteractive()) {
if (!gs.getUser().isMemberOf('Our Very Special Group')) {
current.addEncodedQuery(fullEncodedQuery);
}
}
}

Mark it as helpful and solution proposed if it serves your purpose.
Thanks,
Anand

Josh Banks · ‎02-27-2024

Unfortunately this does not work, attachments on these specific requests are still visible to users who are not in the group.