How does ServiceNow determine which security policy applies to an Employee Document
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
In the Employee Document table (sn_hr_ef_employee_document), the visibility of each document depends on the security policies applied to it. I want to understand how ServiceNow determines which security policy applies to a given document.
Is there a specific table or field where this mapping (document → security policy) is stored, or is it determined dynamically at runtime?
The reason I’m asking is because we’re trying to create a filtered document list where users can only see the documents they have read access to. If we knew which security policy (and read groups) applied to each document, we could generate that filtered list easily.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi,
sn_hr_ef_m2m_doc_type_sec_policy contains the relationship between a security policy and document type. Potentially this is the table you're after?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
To give some context, the Employee Document table in our instance contains over 300,000 records. When a user logs in, they are typically eligible to view only about 5,000 of these documents. However, the system does not display only those 5,000 documents. Instead, it shows partial results — for example, on page 1, it may display 3 documents along with a message such as “97 rows removed by security constraint.”
This causes usability issues, as the user needs to navigate through multiple pages to access all the documents they are actually authorized to view.
My objective is to identify which security policy is applied to each document so that I can derive visibility filters based on it. Specifically, if I can retrieve each document’s read, write, and purge groups, I can apply a filter condition such as:
read is one of my groups, or
write is one of my groups, or
purge is one of my groups.
This would ensure that when a user accesses ADMS, they only see the documents they are entitled to view, rather than encountering messages like “rows removed by security constraint.”
Alternatively, if there is a more efficient way to achieve this — for instance, a configuration or query optimization that restricts the results upfront so users only see documents they are eligible to access — I would appreciate guidance on that approach as well.
My end goal is straightforward: when a user logs in to ServiceNow and opens EDMS, they should only see the documents they are permitted to view, without system messages or unnecessary data noise.
