Users on watchlist of RITM's are able to view the RITM but not the attachment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2018 08:34 AM
Hello,
We have non ITIL users who are added to watchlist on RITM's. These users even without ITIL role are able to view the RITM but are unable to view the attachments on the RITM. Is this something out of box that servicenow allows partial access to the RITM's?
Aren't non ITIL users even denied viewing access? Please let me know how we could solve this problem and allow users to view the attachments as well. We do not want to give too much access to these users as well where they could end up looking at attachments on all tables if they are given access to the attachment table.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2018 08:18 AM
Looks like you have to wrap this in a function due to the return, but it should look like this:
function checkTarget(){
// Get a GlideRecord object for the record linked to the attachment
var trg = new GlideRecord(current.getValue('table_name'));
// Make sure the table is valid, otherwise you will get an error.
// Images stored in fields, like catalog images, are stored with a table name like ZZ_YY[table_name] and will cause your script to fail.
if (trg.isValid()){
trg.get(current.getValue('table_sys_id'));
// Return true if the user can read the record linked to the attachment, false if not
return trg.canRead();
} else {
// If this is not a valid table, don't show it. Other ACLs should grant access in this case.
return false;
}
}
answer = checkTarget();- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2018 08:21 AM
we are writing the ACL on the sys_attachment table right, do we even have to do a gliderecord?
in line 1 you meant gliderecord to sys_attachment table?
also table_sys_id needs to be substituted with something else?
Also, where are we checking if the user is part of a watchlist?
I am confused, sorry!
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2018 08:27 AM
The ACL is running against the sys_attachment table but we are looking at the target record (for example, the incident that the attachment shows up on). So what we are saying here is that if the user can read the incident, they should be able to read the attachment.
The table_name field refers to the table (in our example it would be incident) and table_sys_id is the sys_id of the target record (again, the specific incident).
Does that make more sense?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2018 08:37 AM
I tried testing it and it does not work, but looking at the logic this would allow the user to read attachments only on the specific incident record, i want to them to read all the attachments on all incident records as long as they are part of the watchlist. By default they would only be able to see incidents they have opened or are part of the watchlist because the users do not have ITIL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2018 08:48 AM
This ACL script should do that. If a user is on the watch list for an incident, then they can read the record, and the script should return true. It's evaluated against and attachments related to the incident the user is looking at.
Have you tried debugging security?
