The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Restriction on the sys_attachment table

Karine_M
Tera Guru

5 hours ago

Hi All,

 

We need to block access to certain data for certain internal collaborators (access only to certain ticket types for a predefined list of customer accounts).
Overall, we've managed to configure our profiles correctly using ACLs on certain tables and Security Data Filters.
We're having trouble filtering sys_attachments. We need these collaborators to be able to read and add attachments to their tickets. If they try to list the contents of the sys_attachment table, they should ONLY see the attachments related to the tickets they have access to.


Is there a way to address this need with ACLs or Security Data Filters, or another solution?

 

Regards,

Karine

0 Helpfuls
  • 141 Views
2 REPLIES 2

ChallaR
Kilo Guru

4 hours ago

hi @Karine_M ,

 

You can do with ACL , please find below steps -

 

Use ACLs on sys_attachment Table

  • Create a read ACL on the sys_attachment table.
  • In the ACL script, check whether the user has access to the parent record (e.g., Incident, Task, etc.) the attachment is linked to.

Sample ACL Script:

// Check if the user can read the parent record
var parentGR = new GlideRecord(current.table_name);
if (parentGR.get(current.table_sys_id)) {
    answer = parentGR.canRead();
} else {
    answer = false;
}

 

This ensures that users can only read attachments if they can read the associated record.

 

Review and Override OOB ACLs

  • ServiceNow has multiple out-of-box (OOB) ACLs on sys_attachment that may override your custom ACL.
  • You must disable or modify these OOB ACLs to ensure your custom logic is evaluated correctly.

Custom Field-Based Filtering (Optional Enhancement)

  • Add a custom Boolean field like u_private to sys_attachment.
  • Use this to mark attachments as internal-only.
  • Modify the ACL or AttachmentSecurity Script Include to check this field.

 

Security Data Filters

  • While Security Data Filters are powerful, they don’t apply directly to sys_attachment because it’s a system table.
  • Use them for filtering access to the parent records instead.

Please mark as completed and close the thread if this resolves the issue .

 

Thanks,

Rithika.ch 

0 Helpfuls

ChallaR
Kilo Guru
In response to ChallaR

4 hours ago

@Karine_M missed sample script include logic Custom Field-Based Filtering (Optional Enhancement) 

if (!gs.hasRole('itil') && current.u_private == true && gs.getSession().isInteractive()) {
    return false;
}

 

0 Helpfuls