"Insufficient rights to read the email body" error while trying to open email on the incident ticket

RJ · ‎10-09-2020

Hi Team,

Oct 3rd, we have upgraded to Paris Version.

We are receiving issues related to Emails cannot be opened in Incident tickets or RITMs.

Users are receiving an error as "Insufficient rights to read the email body" when they were trying to click on "Show email details" under Activities section. All users were reporting that they were receiving this error post upgrade. Before upgrade, everyone were able to open them. So, could some one guide us what to do or where did it went wrong.
Users with Admin role were able to see the emails in the ticket only.

Regards,

Ramya Jayanthi

Kieran Anson · ‎10-09-2020

Hi RJ,

ensure that there is a read ACL on the sys_email table. The script should look like:

answer = canRead(current);

function canRead(emailGr) {
	function execute() {
		if (!emailGr || !emailGr.isValidRecord())
			return false;

		var type = emailGr.getValue("type");

		if (type !== "received" && type !== "received-ignored") {
			var notificationId = getNotificationIdFromHeaders() || getNotificationIdFromLog();
			if (notificationId) {
				var emailAccessRestriction = getAccessRestrictionByNotification(notificationId);
				if (emailAccessRestriction)
					return processEmailAccessRestriction(emailAccessRestriction);
			}
		}

		return canReadTargetRecord();
	}

	function processEmailAccessRestriction (emailAccessRestriction) {
		var conditions = emailAccessRestriction.getValue("conditions");
		if (!conditions)
			return false;

		var targetRecord = getTargetRecord();
		if (!targetRecord)
			return false;

		return GlideFilter.checkRecord(targetRecord, conditions);
	}

	function canReadTargetRecord() {
		if (emailGr.target_table.nil() || emailGr.target_table == "sys_email") {
			if (gs.getProperty("glide.email.email_with_no_target_visible_to_all") == "true")
				return true;
			return gs.getUserID() == emailGr.user_id;
		}

		var targetRecord = getTargetRecord();

		return (targetRecord !== null && targetRecord.canRead());
		//Check the table is valid........the record can be seen(see below) ....and can be read by the current user
		//The can be seen check is to make sure that the record is not hidden by a before query rule or by company/domain separation.
	}

	function getNotificationIdFromLog() {
		var sysEmailLog = new GlideRecord('sys_email_log');
		sysEmailLog.get("email", emailGr.getUniqueValue());

		return sysEmailLog.getValue("notification");
	}

	function getNotificationIdFromHeaders() {
		var REGEX_SRC_HDR_INDEX = 1;
		var REGEX_EXPECTED_RESULT_SIZE = 2;

		var eventIdExtractor = /X-ServiceNow-Source:\s*Notification-(\w+)/;
		var regExResult = eventIdExtractor.exec(emailGr.headers);

		return (regExResult !== null && regExResult.length === REGEX_EXPECTED_RESULT_SIZE) ?
			regExResult[REGEX_SRC_HDR_INDEX] : null;
	}

	function getAccessRestrictionByNotification(notificationId) {
		var emailAccessRestriction = new GlideRecord("email_access_restriction");

		return emailAccessRestriction.get("notification", notificationId) ? emailAccessRestriction : null;
	}

	function getTargetRecord() {
		if (emailGr.target_table.nil())
			return null;

		var targetRecord = new GlideRecord(emailGr.target_table);
		return (targetRecord.get(emailGr.instance) && targetRecord.isValidRecord()) ? targetRecord : null;
	}

	return execute();
}

RJ · ‎10-09-2020

Hello Sir,

I have checked the ACL on sys_email table for Read. There is a Script like you mentioned. Are there any other places do we need to check.

Kieran Anson · ‎10-09-2020

You'll need to use ACL debugging. Looking at the error "insufficients rights to read the email" it looks like this might be a customisation as the pluralisation of "insufficents" isn't correct grammar.

Matt Hernandez · ‎10-26-2020

I have the same problem, and I have this ACL but it has Admin role on it. Is there supposed to be a version thats not restricted to Admin?