The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Restricting attachment access in BR based on group membership

Josh Banks
Tera Contributor

‎02-26-2024 01:57 PM

Hello,

We have a business need to restrict user access to see specific types of requested items. Only users who are members of a particular group should be able to see that type of requested item. We have a business rule in place that successfully prevents users from seeing such entries in the sc_req_item table when they access the list view of the table; we also need something similar for the sys_attachment table, to prevent users from being able to see the documents attached to such requests.

 

The problem (I think) lies in the fact that the sys_attachment table doesn't have reference fields like most other tables, and in fact only has a limited number of fields to work with at all. The main point of reference appears to be the "table_sys_id" column. So in order to limit the rows returned in the list view of the sys_attachment table, I am trying to write a BR that includes a query of the sc_req_item table, to get the sys_ids of the requests of the specific restricted type. (Basing this on the sys_id of the associated Catalog Item.)

Below is what I have so far in the BR on sys_attachment; this does not work. I've used log statements to verify that I am assembling an accurate comma-delimited string of sys_ids of the requested items, but the encoded query is not working. Any help or suggestions on this, including whether or not this would be the correct approach to set up this restriction, would be most appreciated.

 

-----------------------

restrictIt();
 
function restrictIt(){
 
     var excludeThese = "";
     var excludeCounter = 0;
 
     var gr = new GlideRecord('sc_req_item');
     gr.addQuery('cat_item','=','2be341b147b4d910ab642c73636d43c7');
     gr.query();
 
     while(gr.next()){
          if(excludeCounter > 0){
               excludeThese = excludeThese + ",";
          }
          excludeThese = excludeThese + gr.sys_id.getValue();
          excludeCounter++;
     }
 
     var fullEncodedQuery = "'" + "table_sys_idNOT IN" + excludeThese + "'";
 
     if (!gs.hasRole('admin') && gs.getSession().isInteractive()) {
          if (!gs.getUser().isMemberOf('Our Very Special Group')) {
               current.addEncodedQuery(fullEncodedQuery);
          }
     }
}
0 Helpfuls
  • 1,083 Views
6 REPLIES 6

Subhashis Ratna
Tera Guru

‎02-27-2024 07:06 AM - edited ‎02-27-2024 07:10 AM

Hi @Josh Banks 
I moved all validations to the outer level, avoiding unnecessary iterations if the user has admin privileges or if it's not an interactive session.

 

 

restrictIt();

function restrictIt() {
if (!gs.hasRole('admin') && gs.getSession().isInteractive()) {
if (!gs.getUser().isMemberOf('Our Very Special Group')) {
var excludeThese = [];
var grItem = new GlideRecord('sc_req_item');
grItem.addQuery('cat_item', gs.getProperty('your.property.name')); //utilizing a system property to store SysID, is a good practice in ServiceNow.
grItem.query();

while (grItem.next()) {
excludeThese.push(grItem.sys_id.toString());
}

if (excludeThese.length > 0) {
current.addQuery('table_sys_id', 'NOT IN', excludeThese.join(','));
}
}
}
}

 

If you have any more requests or need further clarification, feel free to let me know!

Mark Correct if this solves your issue and also mark Helpful if you find my response worthy based on the impact.


Thank you!
Subhashisr7

 

0 Helpfuls

Josh Banks
Tera Contributor
In response to Subhashis Ratna

‎02-27-2024 07:48 AM

Thank you for the suggestion on the system property; however the above code still does not work.

0 Helpfuls