Access controlls of attachments

Go to solution
ShumaS
Tera Contributor

4 weeks ago

Can access permissions for attachments in a Request Item be controlled from within the Request Item itself?

I don't want to change ACLs of sys_attachment. Because sys_attachment is a fundamental table of all applications.

Do you have any excellent ideas?

0 Helpfuls
  • 690 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron

4 weeks ago

@ShumaS 

not possible without creating/updating ACL on sys_attachment as that's the place where files are stored for records

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

0 Helpfuls
4 REPLIES 4

Go to solution
Tanushree Maiti
Giga Patron

4 weeks ago

Hi @ShumaS 

 

Since attachments in ServiceNow are saved in the sys_attachment table, they follow the security rules of their parent record.

To manage access at the RITM level, you can implement script-based ACLs on the sys_attachment table that reference fields from the parent sc_req_item record.

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls

Go to solution
pr8172510
Tera Guru

4 weeks ago

Hi @ShumaS ,

Yes, this requirement is achievable without modifying OOTB ACLs globally on sys_attachment.

I implemented a solution by controlling access at the record level using ACLs on both:

pr8172510_0-1777271225608.pngpr8172510_1-1777271242279.pngpr8172510_2-1777271255137.png

pr8172510_4-1777271303564.png

pr8172510_5-1777271326240.pngpr8172510_6-1777271343292.png

 

 

 

  • sys_attachment

  • sys_attachment_doc (important for actual file content)

 

 

 

  • Created Read ACLs with “Deny Unless” on both tables

  • Restricted access only when the attachment belongs to sc_req_item (RITM)

  • Allowed access based on:

    • User is Requested For (Opened For)

    • User is part of the Assignment Group

    • User has admin role

 

0 Helpfuls

Go to solution
pr8172510
Tera Guru
In response to pr8172510

4 weeks ago

(function executeRule(current, previous) {

    // Allow non-RITM attachments
    if (current.table_name != 'sc_req_item') {
        return true;
    }

    var ritm = new GlideRecord('sc_req_item');
    if (!ritm.get(current.table_sys_id)) {
        return false;
    }

    var userId = gs.getUserID();

    // 1. Opened for
    if (ritm.opened_for == userId) {
        return true;
    }

    // 2. Assignment group member
    if (ritm.assignment_group) {
        var grp = new GlideRecord('sys_user_grmember');
        grp.addQuery('group', ritm.assignment_group);
        grp.addQuery('user', userId);
        grp.setLimit(1);
        grp.query();
        if (grp.hasNext()) {
            return true;
        }
    }

    // 3. Admin
    if (gs.hasRole('admin')) {
        return true;
    }

    return false;

})(current, previous);
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron

4 weeks ago

@ShumaS 

not possible without creating/updating ACL on sys_attachment as that's the place where files are stored for records

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls