Summary
In a scoped application Workspace, users are able to delete attachments even when they do not have write access to the record. There also appears to be no way to implement conditional delete control for attachments within the scoped application.

Environment

• Platform: ServiceNow

• Application Type: Scoped Application

• UI: Workspace

• Component: Default Workspace Attachment component

Issue Description

Users are able to delete attachments from records in Workspace even though they do not have write access to the record according to ACL rules.

In this scoped application, write access to the record is restricted through ACLs. However, the default Workspace attachment component still allows attachment deletion.

Additionally, within a scoped application, there does not appear to be a way to implement a conditional delete ACL on the sys_attachment table to control attachment deletion based on record conditions or roles.

Steps to Reproduce

1. Create or use a table in a scoped application.

2. Configure ACLs so that a user does not have write access to the record.

3. Access the record in Workspace.

4. Upload an attachment (or use an existing attachment).

5. Select any uploaded attachment.

6. 
   Attempt to delete the attachment (as shown in image above).
   

Result:
The user is able to delete the attachment despite lacking write access.

Expected Behavior

Attachment deletion should respect ACL restrictions.
Users who do not have write access to the record should not be able to delete attachments, or there should be a supported mechanism to control attachment deletion through ACLs or configuration.

Actual Behavior

Users can delete attachments from Workspace even when they do not have write access to the record, and there is no clear mechanism within the scoped application to enforce conditional delete restrictions.