Welcome to Community Week 2025! Join us to learn, connect, and be recognized as we celebrate the spirit of Community and the power of AI. Get the details  

Can we hide attachment and work notes other than security assignment groups

chandan2212
Tera Contributor

4 hours ago

Hi all, 

 

We have a security group, and they want to ensure that if any other users view the security group's tickets, they should not be able to see the attachments and work notes on the form. Can we use a Display Business Rule to achieve this requirement, or are there other options available? If possible, could you provide the code?

 

 

Thanks and Regards,

Chandan 

 

 

0 Helpfuls
  • 154 Views
3 REPLIES 3

Deepak Shaerma
Kilo Sage
Kilo Sage

an hour ago

Hi @chandan2212 ,

Yes you can user the Display BR for this with onLoad Client script but i recommend you do not use this method. The correct and most secure solution is to use Access Control Lists (ACLs).

The problem is that if you user Display BR + Client Script is a client-side solution. It hides the fields in the user's browser after the data has already been sent from the server and anyone can access it using show XML.

Use Read ACLs for this.
ACL for worknotes:

var securityGroupSysId = 'PASTE_YOUR_GROUP_SYS_ID_HERE';

if (current.assignment_group.getValue() == securityGroupSysId) {
    
    // It's a security ticket. Only grant access if the user is a member.
    answer = gs.getUser().isMemberOf(securityGroupSysId);

} else {
    // It's not a security ticket, so this ACL doesn't apply.
    // Let other ACLs grant access.
    answer = true;
}

ACL for Attachments:

if (current.table_name != 'incident') { // <-- Change 'incident' to your table
    answer = true;
} else {

    // Get the parent record (the incident, etc.)
    var parentRecord = new GlideRecord(current.table_name);
    if (!parentRecord.get(current.table_sys_id)) {
        // Record doesn't exist? Grant access (or deny, your choice)
        answer = true; 
    
    } else {
        // Now check the parent record's assignment group
        var securityGroupSysId = 'PASTE_YOUR_GROUP_SYS_ID_HERE';
        
        if (parentRecord.assignment_group.getValue() == securityGroupSysId) {
            // It's a security ticket. Grant access only if user is a member.
            answer = gs.getUser().isMemberOf(securityGroupSysId);
        } else {
            // Not a security ticket. Grant access.
            answer = true;
        }
    }
}




Note: Please Mark this Helpful and Accepted Solution. If this Helps you to understand. This will help both the community and me..
- Keep Learning ‌‌
Thanks & Regards 
Deepak Sharma

Ankur Bawiskar
Tera Patron
Tera Patron

38m ago - last edited 35m ago

@chandan2212 

any user satisfying table.None WRITE Access will see option to add attachments using paper clip.

If your customer is ok in blocking the WRITE then it will hide attachments paper-clip and they can't add file

If not then you can use combination of Display Business rule + onLoad client script to hide the attachment paper-clip using DOM manipulation

Note: DOM manipulation is not recommended practice

Display BR

(function executeRule(current, previous /*null when async*/ ) {

    var currentGroup = current.getValue("assignment_group");
    g_scratchpad.showAttachment = gs.getUser().isMemberOf(currentGroup);

})(current, previous);

onLoad client script:

function onLoad() {

    if (g_scratchpad.showAttachment.toString() == 'false') {
        gel('header_add_attachment').style.display = 'none';
        gel('header_attachment_size_checker').style.display = 'none';
        g_form.setDisplay('work_notes', false); // hide work notes
    }
}

Ensure Isolate Script = False for your client script so that DOM runs

AnkurBawiskar_0-1762325122424.png

 

Restricting visibility of work notes in Activity Stream

If you don't want the users to see work notes in activity stream then better to create Field Level READ ACL and use script

answer = gs.getUser().isMemberOf(current.getValue("assignment_group"));

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ankur Bawiskar

34m ago

@chandan2212 

Thank you for marking my response as helpful.

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls