Hi all,
I have an issue very similar to what is described here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1705620
That should have been resolved by the Query ACLs:
My requirement is very similar to the HR SSN example in the documentation:
"Example: HR query control
I can see all hr_profiles, but can only see SSN for myself. I have no business querying SSN, and query ACLs should prevent me from running queries against SSN of other hr profiles to try to extract SSN mappings."
I made a Read ACL on a field that has two conditions:
1) A role
2) The company field value of the record must be equal to the company of the user
When a user query on a field, they can still see the records with value=true, even if they can't read that field on that record because is a not a record of their company. I can't completely block the access to the record because, similar to the HR example above, users needs to be able to see the all table (see screenshot attached). This is a serious security problem.
By default, the Query ACL on *.* should check if the user "has right to read". But I even tried to create a query_match and query_range ACL specific for that field.
The version of the instance is Washington DC patch10 hotfix2. The table is a custom table that doesn't extend any SNow table, so there are no ACLs inherited besides the *.* ones.
Is there something I can do? system properties I can check? any alternative solutions?
Luca
