Encrypt checkbox missing on HR Case form after upgrade from Quebec to San diego

Jyoti Mehta · ‎05-13-2022

Hi Everyone,

we have upgrade our instance from Quebec to San Diego recently and after upgrade Encrypt checkbox for attachment is missing on HR Case form.

we have assigned the role to user but still user is unable to see the checkbox to encrypt the attachment. Before upgrade it was working fine. Encryption plugin is enabled in our system.

Does anyone have solution for this issue ?

Thanks in Advance!

Regards,

Jyoti

Javier C_ · ‎05-13-2022

To have this fully resolved you'll need the following

1) create a support ticket in the Hi Portal (support.servicenow.com) Make it a P2

2) They will tell you the following:

Keep in mind you can not execute step 1 or Step 2. this is something the support team in SN will need to do for you.

We also did a follow up on the encryption check box and we got this response:

3) Then you will need to set up the encryption modules. --Note Make sure you have Elevated Security Rights --- when setting this up. Instructions below:

Hi Javier,

My name is Joy and I am the support engineer within the APJ time zone assigned to assist you with your Case.
I understand that you need the functionality to be able to decide whether to encrypt an attachment, which is useful when attachments need to be shared with end users.

I have reached out to the team and found that in San Diego, Encryption Contexts have essentially been replaced by Encryption Module where if an Encrypted Field Configuration exists for the encryption of attachments, all attachments are automatically encrypted upon upload, the checkbox is no longer supported.

This change in design complies with the encryption standard. We do not revert back to legacy encryption as it is less safe.

With the new Encryption Module, you can use Multiple Encryption Modules, where the agent can have 2 roles (for example R_A and R_B) for 2 different Encryption Module (example EM_C for R_A and EM_D for R_B), while the end user has one role (R_A) and sharing one Encryption Module with the agent (EM_C).
The checked "Encrypt" checkbox would simulate the scenario when the agent uses the (EM_D) to encrypt the attachment, while the unchecked "Encrypt" checkbox would simulate the scenario when the agent uses (EM_C) so the end user would be able to access the attachment as well. Below are specific steps:
1. Create two Encryption Modules.
Encryption Module 1 is for the "snc_internal" role
Encryption Module 2 is for the "itil" role
2. Log in as itil, can select modules while uploading an attachment since this user has both the "snc_internal" and the "itil" roles.
Select the Encryption Module 1 and upload the attachment "Module 1 ITIL.jpg".
Select the Encryption Module 1 and upload the attachment "Module 2 ITIL.jpg".
3. Log in as abel.tuter who only has the "snc_internal" role.
This user can ONLY see the "Module 1 ITIL.jpg" encrypted attachment since it is encrypted by the Encryption Module 1 which is for the "snc_internal" role.
Upload the "Module 1 Abel Tuter.jpg" attachment, it can ONLY be encrypted by Encryption Module 1.
4. User itil can see the "Module 1 Abel Tuter.jpg" encrypted attachment.

Please refer to below for more information:
KB1117354 - How to access to multiple encryption modules when encrypting attachments

Please look at the above and let us know if you have questions and we are happy to assist further.

Kind regards,
Joy Quiwa
Senior Technical Support Engineer, APJ User Experience
ServiceNow | Works For You

4) Make sure you are in constant communication with your Sales Representative and support team... New things will be installed that you may need to be grandfathered.

5)GOOD LUCK! --- ServiceNow support team has advised that this will be fixed on future patches or most likely in the "Tokyo" release

View solution in original post

Javier C_ · ‎05-13-2022

To have this fully resolved you'll need the following

1) create a support ticket in the Hi Portal (support.servicenow.com) Make it a P2

2) They will tell you the following:

Keep in mind you can not execute step 1 or Step 2. this is something the support team in SN will need to do for you.

We also did a follow up on the encryption check box and we got this response:

3) Then you will need to set up the encryption modules. --Note Make sure you have Elevated Security Rights --- when setting this up. Instructions below:

Hi Javier,

My name is Joy and I am the support engineer within the APJ time zone assigned to assist you with your Case.
I understand that you need the functionality to be able to decide whether to encrypt an attachment, which is useful when attachments need to be shared with end users.

I have reached out to the team and found that in San Diego, Encryption Contexts have essentially been replaced by Encryption Module where if an Encrypted Field Configuration exists for the encryption of attachments, all attachments are automatically encrypted upon upload, the checkbox is no longer supported.

This change in design complies with the encryption standard. We do not revert back to legacy encryption as it is less safe.

With the new Encryption Module, you can use Multiple Encryption Modules, where the agent can have 2 roles (for example R_A and R_B) for 2 different Encryption Module (example EM_C for R_A and EM_D for R_B), while the end user has one role (R_A) and sharing one Encryption Module with the agent (EM_C).
The checked "Encrypt" checkbox would simulate the scenario when the agent uses the (EM_D) to encrypt the attachment, while the unchecked "Encrypt" checkbox would simulate the scenario when the agent uses (EM_C) so the end user would be able to access the attachment as well. Below are specific steps:
1. Create two Encryption Modules.
Encryption Module 1 is for the "snc_internal" role
Encryption Module 2 is for the "itil" role
2. Log in as itil, can select modules while uploading an attachment since this user has both the "snc_internal" and the "itil" roles.
Select the Encryption Module 1 and upload the attachment "Module 1 ITIL.jpg".
Select the Encryption Module 1 and upload the attachment "Module 2 ITIL.jpg".
3. Log in as abel.tuter who only has the "snc_internal" role.
This user can ONLY see the "Module 1 ITIL.jpg" encrypted attachment since it is encrypted by the Encryption Module 1 which is for the "snc_internal" role.
Upload the "Module 1 Abel Tuter.jpg" attachment, it can ONLY be encrypted by Encryption Module 1.
4. User itil can see the "Module 1 Abel Tuter.jpg" encrypted attachment.

Please refer to below for more information:
KB1117354 - How to access to multiple encryption modules when encrypting attachments

Please look at the above and let us know if you have questions and we are happy to assist further.

Kind regards,
Joy Quiwa
Senior Technical Support Engineer, APJ User Experience
ServiceNow | Works For You

4) Make sure you are in constant communication with your Sales Representative and support team... New things will be installed that you may need to be grandfathered.

5)GOOD LUCK! --- ServiceNow support team has advised that this will be fixed on future patches or most likely in the "Tokyo" release

Jyoti Mehta · ‎05-16-2022

@Javier C. : Thanks for the help! I will raise a HI ticket for the same.

Jyoti Mehta · ‎06-28-2022

Hi Javier

Have you implemented Role based Attachments Encryption using Module Access Policies ?

Thanks,

Jyoti

Kriti12 · ‎09-20-2022

Hi Javier/Jyoti,

Any update if this got fixed in Tokyo? or we have to go forward with Encryption Module in Tokyo as well?

Jyoti Mehta · ‎05-16-2022

@Giuliana Martino : Thanks for the help!