Allow regular end-users (snc_internal users) to add attachments to standard changes in ESC portal

pcrmc
Tera Contributor

Thursday

When I submit a standard change as admin I can see the paperclip icon to add an attachment on the next screen after submitting, but regular end-users cannot. Perhaps there is an even better way to get an attachment added. I first tried adding an attachment variable to the standard change, which did create an 'upload' button, but it didn't do anything.

pcrmc_1-1761244272009.png

 

pcrmc_0-1761244206392.png

pcrmc_2-1761244301369.png

 

 

0 Helpfuls
  • 321 Views
4 REPLIES 4

RaghavSh
Mega Patron

Friday

This is an ACL issue, check the write/create ACLs on "sys_attachment" table.

There should be something restricting this through roles.

 You will have to add snc_internal to that ACL.

 

Also check if itil users are able to do this.


Please mark the answer correct/helpful accordingly.


Raghav
MVP 2023
LinkedIn
0 Helpfuls

RaghavSh
Mega Patron
In response to RaghavSh

Friday

@pcrmc did you check write ACL on change_request and Attachment table?


Raghav
MVP 2023
LinkedIn
0 Helpfuls

MaxMixali
Giga Guru

Friday

Issue: End-users cannot attach files to Standard Change records

Admins can see and use the paperclip icon on the Change form because they have write access to the change_request table. End-users don’t see it since they lack write permission. Adding an “Attachment” variable directly on the Change form won’t work because attachments can’t be uploaded where users lack access.

--------------------------------------------------------------------
🟢 Solution 1: Collect attachments on the Request, then copy to the Change
--------------------------------------------------------------------
This is the safest and most common pattern.

Steps:
1. Submit the Standard Change through a Catalog Item or Record Producer.
2. Add a variable of type “Attachment” on the Catalog Item (UI Type = All).
3. When the Flow or Business Rule creates the Change record, copy attachments:

```javascript
// Copy attachments from RITM to Change
GlideSysAttachment.copy('sc_req_item', ritmSysId, 'change_request', changeSysId);
```

This lets end-users attach during submission, and you copy the files to the resulting Change.

--------------------------------------------------------------------
🟠 Solution 2: Allow attachments directly on the Change (not recommended)
--------------------------------------------------------------------
You could loosen ACLs so end-users can add attachments to change_request.

Example ACL logic (for sys_attachment, operation = create):
```
current.opened_by == gs.getUserID()
```
Be cautious: this exposes sensitive data.

--------------------------------------------------------------------
🟣 Solution 3: Make the “Attachment” variable work in Service Portal
--------------------------------------------------------------------
If the Upload button doesn’t work:
- Ensure variable’s UI Type = All.
- Ensure you’re using the standard Catalog Item widget.
- Remove any conflicting client scripts.
- Check browser console for errors.

--------------------------------------------------------------------
🟡 Solution 4: Record Producer for Standard Change
--------------------------------------------------------------------
If you must create the Change directly:
1. Create a Record Producer that mimics the Change form.
2. Include an Attachment variable.
3. In the producer script, create the change_request record and copy attachments:
```javascript
GlideSysAttachment.copy('sc_request', requestId, 'change_request', changeId);
```

--------------------------------------------------------------------
Quick Checklist
--------------------------------------------------------------------
- [x] Prefer collecting attachments on Request/Producer → copy to Change.
- [x] Only use direct Change attachments with custom ACLs (use cautiously).
- [x] Verify Attachment variables work in Service Portal (UI Type = All).
- [x] Use `GlideSysAttachment.copy()` to move files automatically.

 

0 Helpfuls

pcrmc
Tera Contributor

Monday

Thank you Max, I have not had time to try all your solutions yet. I just wanted to make sure I wasn't reinventing the wheel here. This really seems like something that ServiceNow would have just created a solution for. Is it strange to be having end-users add attachments to Standard Change requests? This seems pretty basic.

 

I have created ACLs for both sys_attachment and sys_attachment_doc. Created read, write, and create ACLs, nothing seems to work... Scripts like this:

 

// Allow writing (e.g., renaming) an attachment when the parent is a Change Request
// and the current user is the requester.
(function () {
  if (current.table_name != 'change_request')
    return false;

  var chg = new GlideRecord('change_request');
  if (!chg.get(current.table_sys_id))
    return false;

  // requester can write their own change's attachments
  return gs.getUserID() == chg.getValue('requested_by');
})();
0 Helpfuls