What is the OOTB security on the sys_attachment table?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 04:25 PM
I would assume that non-HR users (users without an HR role) would not be able to view attachments to HR Cases and HR Profiles from the sys_attachment_list.do. Does the security on the sn_hr_core_case and sn_hr_core_profile tables apply to attachments?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 06:33 PM
Hi @Suzanne H ,
you can check which ACLs are applying on a particular attachment using the access analyzer
select sys_attachment table and select the attachment record which is attached to HR table
and click on evaluate access
it will give you detailed info on what access has been give and what is blocked
you can click on each operation to see which ACLs have provided(or blocked the access)
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 06:44 PM
@Suzanne H ServiceNow enforces security on attachments based on the security of the parent record (i.e., the HR case or HR profile).If a user cannot access the sn_hr_core_case or sn_hr_core_profile record, they will not be able to see or download the attachments either.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2025 03:15 PM
Thanks for your response. I agree that the security on attachments should be based on the security of the parent record but we've discovered that it's not working as expected.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2025 04:31 PM
@Suzanne H If this is the case then I recommend creating the additional read ACLs on the sys_attachment to only grant access when the user has access to the parent record.