Images not visible to non-licensed users within KB

Go to solution
seanlafontaine
Giga Contributor

‎04-11-2017 06:22 AM

Current Version: Istanbul

Issue: Non-licensed users not able to view images in KBs

After the upgrade to Istanbul we found that non-licensed users are unable to view images in KBs. When I impersonate a user with a license the user is able to view all images. When I impersonate a non-licensed user the user will ether be able to see some images or none. This is happening in both the Portal and non-portal view.  

1. Has anyone came across this issue in the Istanbul release?

2. Has anyone found anything in the Istanbul release notes concerning this issue?

Thanks,

Sean C. Lafontaine

Labels:
0 Helpfuls
  • 1,682 Views
1 ACCEPTED SOLUTION

Go to solution
seanlafontaine
Giga Contributor

‎05-10-2017 05:39 AM

We found that an ACL to allow all users to view sys_attachment needed to be created. Here is a screen shot of the ACL


Attachment ACL.JPG


View solution in original post

Preview file
93 KB
0 Helpfuls
3 REPLIES 3

Go to solution
Chuck Tomasi
Tera Patron

‎04-11-2017 06:25 AM

Hi Sean,



I haven't heard of this Istanbul issue before. That doesn't mean it doesn't exist, only that I've not heard of it. If it is a known PRB, customer support will know about it. Before calling them, I would start by checking the ACLs on the sys_attachment table. It sounds like someone may have created a read rule there since images are stored as attachments. Take a look there.



Docs: Access control rules


Docs: Contextual security  


Security Best Practices - ServiceNow Wiki


0 Helpfuls

Go to solution
seanlafontaine
Giga Contributor
In response to Chuck Tomasi

‎04-11-2017 08:29 AM

Here is what I found:



When the attachment is attached via a KB Feedback the attachment doesn't get associated to the parent KB sys_id. In the ACL it states that if the attachment doesn't associate with the parent sys_id then the creator is the only user that can see the attachment. Since the end user didn't edit the KB Feedback then the end user will not be able to view the image.



This is and isn't an ACL issue. Also, the KB Feedback is custom to the instance. I am working with an engineer to develop a way to associate the KB Feedback attachment to the Parent sys_id.



Thanks for your assistance


Sean C. Lafontaine.


0 Helpfuls

Go to solution
seanlafontaine
Giga Contributor

‎05-10-2017 05:39 AM

We found that an ACL to allow all users to view sys_attachment needed to be created. Here is a screen shot of the ACL


Attachment ACL.JPG


Preview file
93 KB
0 Helpfuls