Restrict attachment table view to only user records

Sooriya3
Giga Guru

Currently any user (even with no roles) if they have the URL for the attachment table are able to view ALL attachments in the system. We want to restrict the view to only their own records. How to achieve this? For incident, problem and all other ticket types, the view is restricted to those created by the user. 

1 ACCEPTED SOLUTION

Mark Manders
Mega Patron

Check on the ACLs and use those to prevent non-role users to see attachments other than their own.

If you are on Xanadu, you can use deny-unless ACLs to make it easy on yourself.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

View solution in original post

2 REPLIES 2

Mark Manders
Mega Patron

Check on the ACLs and use those to prevent non-role users to see attachments other than their own.

If you are on Xanadu, you can use deny-unless ACLs to make it easy on yourself.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Ankur Bawiskar
Tera Patron
Tera Patron

@Sooriya3 

what do you mean by user with no roles?

Did you check any OOB table.None READ ACL on sys_attachment is giving access to these users?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader