An organization wants to restrict visibility of sensitive fields (like email body, subject, or recipients) stored in the Email [sys_email] table. Developers create Query Business Rules (BRs) on child tables to filter access.
❗Problem Statement
When Query BRs are created only on child tables, restrictions do not apply universally.
Users can still:
This causes a data security leakage, even if restrictions were intended for admins as well.
Solutions
1.Write the Query Business Rule on the parent table instead of the child table.
Please refer to original post - Preventing Security Leakage with Query Business Rules on Child Tables in ServiceNow - https://www.servicenow.com/community/itsm-forum/preventing-security-leakage-with-query-business-rule...
2. Restrict the notification and control the visibility.
Follow this link to understand how to apply the restriction https://www.servicenow.com/docs/bundle/yokohama-platform-administration/page/administer/notification...
