Securing attachments by Role

hartr · ‎11-30-2011

Does anyone know of a way to ensure that Self Service users can only view attachments that they themselves have added against a specific record (ie. so if a user with a role adds an attachment it is visible only to other users with the same role) ? Thing is I need to do this only for attachments linked to one table - not all tables.

I have tried using before query business rule on the attachment table with some success but I can't seem to limit the query to attachments linked to a specific table - current.sys_class_name is undefined if I try to use it as a condition on the before query rule.

brkelly · ‎02-08-2016

I am not sure if this is what you wanted exactly, but this script applied on the Attachment Table, Read operation did the job for me. (see bold_underlined text)

getAttachmentReadAnswer();

function getAttachmentReadAnswer() {

if (current.table_name.nil())

return true;

// If the attachment is from live feed,

// grant it the read access

if (current.table_name == 'live_profile')

return true;

// Remove Prefix

var tableName = current.table_name;

var invisible_prefix = "invisible.";

if (tableName.startsWith("invisible."))

tableName = tableName.substring(10);

var parentRecord = new GlideRecord(tableName);

parentRecord.setWorkflow(false);

if (!parentRecord.get(current.table_sys_id)) {

if (current.sys_created_by.equals(gs.getUserName()))

return true;

return false;

}

//specify table that needs to be restricted to a specific role

if (tableName==("u_wacky_table")) {

//specify Role that gets access

if(gs.getUser().hasRole('admin')){

return true;

} else {

return false;

}

return parentRecord.canRead();

}

paulinabednarik · ‎03-22-2018

Hi brkelly,

did you create a new ACL on the sys_attachment table for that?

I have a similar task, I need to restrict the visibility of attachments for HR cases, so only HR team and requester can see it.

Thanks!

Paulina