Encrypting attachment while inserting or updating a record

Community Alums · ‎11-02-2017

Hi All,

I have configured encryption context and running the script https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/script/server-scripting/concept/...

as per the doc. But this script works only when running from scripts background.

Not working in Scheduled Job (even i put as run as encryption context role) , Business rule, Script etc..

Could anyone help on this?

josh_nerius · ‎11-02-2017

Hi Karthik,

Encryption contexts cannot be accessed directly by asynchronous jobs. Even if you use the "Run As" option, this is using impersonation to run the job, and impersonation does not grant access to encryption contexts for security reasons.

To make this work, the code must be running as the current user (as long as that user has access to the encryption context). I believe you could try an "after insert" Business Rule (not sure if before will work) on the sys_attachment table. Set a condition to make sure the attachment is associated with the appropriate table, and then set the encryption context using the scripting examples you provided.

There is also an app on Share called Easy Encryption: ServiceNow Share: Easy Encryption. Disclaimer: I don't have much experience with this app, so I'd test this thoroughly in a dev or personal developer instance first.

Community Alums · ‎11-02-2017

Thanks a lot for the quick response Josh.

As per your suggestion running an after insert BR, the user who submits the record should have the encryption context role right? but i can't provide this role to all users in the system and it should work for inbound email ticket creation as well. Any thoughts on this?

Thanks for providing servicenow share app link. I will try it and share the outcome.

josh_nerius · ‎11-02-2017

Every user that needs to read the attachment must have the encryption context/role.

By default, attachments on inbound emails can't be encrypted because this is an asynchronous action and doesn't take place on a "real" user session. If you want to encrypt inbound email attachments, you'll have to look at a solution similar to the Simple Encryption app. You could potentially build something similar to the Share functionality on your own if you don't want to use the app directly.

Community Alums · ‎11-02-2017

Can we use the script to encrypt any attachment added to the table? to run the script we need the encryption context role right? If we put the script in BR, it will run with user's role and obviously the script will fail. Users need encryption context role to read and run the script as well right?

Read attachment is fine as only respective fulfillers will access. But i need the script to run by a fixed user or users without role. I'm not getting any idea around this.