Make selected attachments invisible to non-ITIL users on a task form

Community Alums · ‎04-27-2022

Make selected attachments invisible to non-ITIL users on a task form

I’m writing this article based on my recent experience with one of my client's requirements. When an attachment is uploaded to a task record, that is visible to all users by default. But the requirement was that when an internal user shares a file on a task record for internal purposes, this cannot be visible to end-users who raised the ticket. Similar behaviour to internal work notes on task record.

We may assume that we can define a new read ACL on the sys_attachment table to restrict the visibility of attachments to the end-users. But that does not fulfil the requirement. Because the OOB read ACL overrides and grants access to everyone. You may think that we can disable the OOB read ACL and define a new read ACL in place. This is also not the right approach as this may affect other users.

I have found some good content on the community from which I have customised the solution as, to create a new field on the sys_attachment table called “Private” – Boolean type. Add Attachments related list to task form. When an ITIL user adds an attachment to a task record, make sure the “Private” field value sets to true to hide it from the end-user. So that, the end-user cannot see this attachment.

The customised solution is as follows:

Create a new field called “Private” a Boolean type on the “sys_attachment” table.
This field should be editable by ITIL users only, so create a write ACL on the sys_attachment table on the “Private” field for ITIL users.

Duplicate the script include AttachmentSecurity and add the following code in the canRead function.

if(!gs.hasRole('itil') && current.u_private == true && gs.getSession().isInteractive()){
			return false;
		}

Disable the OOB read ACL which contains the following script:
Duplicate the above ACL and replace the script name AttachmentSecurity with the custom one you have defined in step 3.
```
answer = new global.CustomAttachmentSecurity().canRead(current);
```

Steps for Testing:

Open any incident record.
Add an attachment.
Configure the incident form to include the Attachments related list.
Configure the list layout of the Attachments related list so that the “Private” field is visible in the list.
Set the “Private” field value to true for the attachments you added in step 2.
Impersonate with the caller and open the same incident record.
Observe that the attachment is not visible.

To implement the same solution on any task form i.e., Incident, RITM, Catalog Task, etc. just include Attachments related list on the respective task form and add the Private field on the list layout.

I have found useful video stuff from the series of The Witch Doctor’s Guide to ServiceNow – Episode 12 by Göran Lundqvist who explained the process clearly.

Here is the link for the video:

https://www.youtube.com/watch?v=Zt4KynJanj0

Please mark helpful if my article founds good one.

parth2 · ‎01-15-2023

Thanks @Community Alums . This was really helpful

Chris Dea1 · ‎04-20-2023

Thanks, this was very helpful Sharath! I had some issues initially (my own fault). Notes for others...make sure to create a new "CustomAttachmentSecurity" script include -- the existing AttachmentSecurity has read-only policy. And make sure to update that new script include with "CustomAttachmentSecurity" instead of "AttachmentSecurity" :).