Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

Access controlls of attachments

Go to solution
ShumaS
Tera Contributor

Sunday

Can access permissions for attachments in a Request Item be controlled from within the Request Item itself?

I don't want to change ACLs of sys_attachment. Because sys_attachment is a fundamental table of all applications.

Do you have any excellent ideas?

0 Helpfuls
  • 423 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron

Sunday

@ShumaS 

not possible without creating/updating ACL on sys_attachment as that's the place where files are stored for records

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

0 Helpfuls
4 REPLIES 4

Go to solution
Tanushree Maiti
Kilo Patron

Sunday

Hi @ShumaS 

 

Since attachments in ServiceNow are saved in the sys_attachment table, they follow the security rules of their parent record.

To manage access at the RITM level, you can implement script-based ACLs on the sys_attachment table that reference fields from the parent sc_req_item record.

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls

Go to solution
pr8172510
Giga Guru

Sunday

Hi @ShumaS ,

Yes, this requirement is achievable without modifying OOTB ACLs globally on sys_attachment.

I implemented a solution by controlling access at the record level using ACLs on both:

pr8172510_0-1777271225608.pngpr8172510_1-1777271242279.pngpr8172510_2-1777271255137.png

pr8172510_4-1777271303564.png

pr8172510_5-1777271326240.pngpr8172510_6-1777271343292.png

 

 

 

  • sys_attachment

  • sys_attachment_doc (important for actual file content)

 

 

 

  • Created Read ACLs with “Deny Unless” on both tables

  • Restricted access only when the attachment belongs to sc_req_item (RITM)

  • Allowed access based on:

    • User is Requested For (Opened For)

    • User is part of the Assignment Group

    • User has admin role

 

0 Helpfuls

Go to solution
pr8172510
Giga Guru
In response to pr8172510

Sunday

(function executeRule(current, previous) {

    // Allow non-RITM attachments
    if (current.table_name != 'sc_req_item') {
        return true;
    }

    var ritm = new GlideRecord('sc_req_item');
    if (!ritm.get(current.table_sys_id)) {
        return false;
    }

    var userId = gs.getUserID();

    // 1. Opened for
    if (ritm.opened_for == userId) {
        return true;
    }

    // 2. Assignment group member
    if (ritm.assignment_group) {
        var grp = new GlideRecord('sys_user_grmember');
        grp.addQuery('group', ritm.assignment_group);
        grp.addQuery('user', userId);
        grp.setLimit(1);
        grp.query();
        if (grp.hasNext()) {
            return true;
        }
    }

    // 3. Admin
    if (gs.hasRole('admin')) {
        return true;
    }

    return false;

})(current, previous);
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron

Sunday

@ShumaS 

not possible without creating/updating ACL on sys_attachment as that's the place where files are stored for records

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls