What is the OOTB security on the sys_attachment table?

Suzanne H · ‎05-28-2025

I would assume that non-HR users (users without an HR role) would not be able to view attachments to HR Cases and HR Profiles from the sys_attachment_list.do. Does the security on the sn_hr_core_case and sn_hr_core_profile tables apply to attachments?

Chaitanya ILCR · ‎05-28-2025

Hi @Suzanne H ,

you can check which ACLs are applying on a particular attachment using the access analyzer

select sys_attachment table and select the attachment record which is attached to HR table

and click on evaluate access

it will give you detailed info on what access has been give and what is blocked

you can click on each operation to see which ACLs have provided(or blocked the access)

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Sandeep Rajput · ‎05-28-2025

@Suzanne H ServiceNow enforces security on attachments based on the security of the parent record (i.e., the HR case or HR profile).If a user cannot access the sn_hr_core_case or sn_hr_core_profile record, they will not be able to see or download the attachments either.

Suzanne H · ‎05-29-2025

@Sandeep Rajput

Thanks for your response. I agree that the security on attachments should be based on the security of the parent record but we've discovered that it's not working as expected.

Sandeep Rajput · ‎05-29-2025

@Suzanne H If this is the case then I recommend creating the additional read ACLs on the sys_attachment to only grant access when the user has access to the parent record.