ACL denied without evaluation - User can't see emails on Universal Request

Max Nowak · ‎08-04-2022

Hi,

We're currently experiencing a strange problem with ACLs, or at least something that I've never seen before. Non-admin users are unable to see emails that are attached to a Universal Request. If they use the built-in email client, they also can't see their own attachments after attaching them.

They can see the emails in the activity stream, but nothing happens if they click on "Show email details". They also can't see the email in the sys_email table.

When I enable security rule debugging, I could see that the ACL would get triggered, but just denied access without evaluating either the role, condition or script defined in the ACL record. I even went so far and removed all scripts and conditions from the sys_email read ACL, apart from "snc_internal" as role, but it changed nothing:

As you can see, nothing was evaluated, and yet the ACL returns false. The strangest thing is that it works fine on, for example, cases or incident records:

As you can see, the ACL gets evaluated just fine on a case record, but not on universal request, which I don't understand, since the ACL is defined for the sys_email table - shouldn't it be independent of the objects acessing it?

I'd be greatful for any help further debugging this or solutions,

Max

Max Nowak · ‎08-11-2022

For anyone that's also having this issue: I contacted SN support and they were able to provide a solution. The reason why this isn't working is, strangely enough, that the read ACL on sys_email lives in the global application scope, and apparently, therefore is not usable by Universal Request.

The support agent duplicated the sys_email table level read ACL into the Universal Request application scope, and afterwards, it worked perfectly.

I have no idea why this is the case, I was under the impression that ACLs, especially if they reside in global, could be used by all other application scopes. I don't see a sys_email read ACL for the Customer Service Management scope, for example, and yet, agents are able to see email records attached to cases.

View solution in original post

Allen Andreas · ‎08-04-2022

Hi,

This appears to be a known issue and is planned for a Tokyo fix.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1005246

While the link above also mentions they can't see it in the activity stream, I would assume it is still related overall.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Max Nowak · ‎08-11-2022

For anyone that's also having this issue: I contacted SN support and they were able to provide a solution. The reason why this isn't working is, strangely enough, that the read ACL on sys_email lives in the global application scope, and apparently, therefore is not usable by Universal Request.

The support agent duplicated the sys_email table level read ACL into the Universal Request application scope, and afterwards, it worked perfectly.

I have no idea why this is the case, I was under the impression that ACLs, especially if they reside in global, could be used by all other application scopes. I don't see a sys_email read ACL for the Customer Service Management scope, for example, and yet, agents are able to see email records attached to cases.