Securing attachments by Role

hartr · ‎11-30-2011

Does anyone know of a way to ensure that Self Service users can only view attachments that they themselves have added against a specific record (ie. so if a user with a role adds an attachment it is visible only to other users with the same role) ? Thing is I need to do this only for attachments linked to one table - not all tables.

I have tried using before query business rule on the attachment table with some success but I can't seem to limit the query to attachments linked to a specific table - current.sys_class_name is undefined if I try to use it as a condition on the before query rule.

Mark Stanger · ‎11-30-2011

You should be able to use 'current.table_name' to identify what table the attachment is associated with. An ACL should work in this case too.

hartr · ‎11-30-2011

Thanks Mark - I tried that too but it also comes up undefined

hartr · ‎11-30-2011

I've got it to work but not sure if it's the best way though ..

had to use the following to get the table name (4 chars long) where the attachment query was coming from:-

var map = gs.action.getGlideURI().toString();
var table = map.substr(0,4);

Report Inappropriate Content · ‎12-13-2011

Attachments reference back to a record via a pairing of fields: table_name and table_sys_id.

An ACL for the sys_attachment table with a condition of 'table_name=="u_xyz"' (to restrict the rule's applicability to your special table) and a Script to determine whether the current session's user (gs.getUserID(), etc) should be able to access the record table_sys_id, would prevent others from accessing the attachment if they didn't meet the Script's criteria.

(alternatively, if you want to use a Before-query approach I think you want current.getTableName() or current.getRecordClassName() - those will be defined even for an initialized GlideRecord, and in your case they'll probably have the same value, though they have subtly different meanings.)