In the Employee Document table (sn_hr_ef_employee_document), the visibility of each document depends on the security policies applied to it. I want to understand how ServiceNow determines which security policy applies to a given document.

Is there a specific table or field where this mapping (document → security policy) is stored, or is it determined dynamically at runtime?

The reason I’m asking is because we’re trying to create a filtered document list where users can only see the documents they have read access to. If we knew which security policy (and read groups) applied to each document, we could generate that filtered list easily.