The CreatorCon Call for Content is officially open! Get started here.

Alert: Security Leakage When Using Query Business Rules on Child Tables through emails

Sushma Pavani K
Tera Guru

3 weeks ago - last edited 3 weeks ago

An organization wants to restrict visibility of sensitive fields (like email body, subject, or recipients) stored in the Email [sys_email] table. Developers create Query Business Rules (BRs) on child tables to filter access.

 

Problem Statement

  • When Query BRs are created only on child tables, restrictions do not apply universally.

  • Users can still:

    • Personalize list views and bring restricted fields into visibility.

    • Access sensitive data such as email content through the Emails module.

  • This causes a data security leakage, even if restrictions were intended for admins as well.

 

Solutions

1.Write the Query Business Rule on the parent table instead of the child table.

Please refer to original post - Preventing Security Leakage with Query Business Rules on Child Tables in ServiceNow  - https://www.servicenow.com/community/itsm-forum/preventing-security-leakage-with-query-business-rule...

 

2. Restrict the notification and control the visibility.

Follow this link to understand how to apply the restriction https://www.servicenow.com/docs/bundle/yokohama-platform-administration/page/administer/notification...

0 Helpfuls
  • 429 Views
1 REPLY 1

kaushal_snow
Mega Sage

3 weeks ago

Hi @Sushma Pavani K ,

 

Thanks for sharing, as per my knowledge, query BRs on a child table may not apply when users query via the parent table or via modules/views that use the parent....If someone views an email record via the parent sys_email table rather than via the child table, a BR on a child table may be bypassed....The result is that sensitive data still can be exposed through list views, related lists, or module entries that use the parent.....Even with Query BRs filtering out rows/records, if a user gets to a record (or parent record) via some other route, sensitive fields (subject, body, recipients) might be visible unless protected via Field level ACLs. So the BRs may not be sufficient by themselves.....

 

If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.

 

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
0 Helpfuls