When "Explicit Roles" plugin is activated standalone, sys_attachment records related to records snc_external users can read are not available

Go to solution
mandle
Mega Guru

‎01-03-2019 11:53 AM

 

Environment Details:

  1. "Explicit Roles" plugin is activated by ServiceNow standalone from Customer Service Management
  2. User has been granted snc_external role.
  3. kb_knowledge record is in a kb_knowledge_base where User Criteria "Can Read" is set to allow users with snc_external to read articles in that Knowledge Base.
  4. kb_knowledge record has 1 or more attachments.

Issue:

Attachments cannot be downloaded for these snc_external users.

What are the SAFE AND SECURE adjustments that need to be made to sys_attachment Access Controls?

Note: This instance does have Kingston HRSD but not Kingston CSM in use.

 

READ ACLS on sys_attachment that fail

One of them is for attachments to sc_cart so that's not an issue.
This one does seem to be the issue: https://somekingstoninstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e02590038464

 

find_real_file.png

Labels:
Preview file
152 KB
0 Helpfuls
  • 2,403 Views
1 ACCEPTED SOLUTION

Go to solution
mandle
Mega Guru
In response to mandle

‎01-14-2019 07:56 PM

Sarup,

Good news. HI determined there was no risk to add the "snc_external" role to this sys_attachment ACL:
https://someinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e0...

Once we added "snc_external" to the ACL then users with the snc_external role is able to download or view attachments to records they are allowed to read.

Thanks for your help!

View solution in original post

5 REPLIES 5

Go to solution
Sarup Paul
ServiceNow Employee
ServiceNow Employee

‎01-03-2019 07:37 PM

What is the use case for enabling explicit roles plugin in the HR (or any internal facing application) use case?

Go to solution
mandle
Mega Guru

‎01-03-2019 07:46 PM

Hello Sarup! Thanks for replying 🙂

The solution (using Explicit Roles plugin) was recommended to the client by ServiceNow.

The client has a requirement that a few Service Portals be created that are for "Company Candidates and "Company Alumni". These are purely informational Portals that mirror content sites they currently have running on Salesforce. They don't have access to catalogs or any advanced functionality in a traditional Service Management portal.

These Portals are available via local login using shared user accounts vs. using OKTA which is used by all active employees for their 4 internal (HR, IT, Finance, Learning Management).
The people accessing these Portals are either prospective or former employees.

So far having the ability to control access to content, Pages, Widgets, etc. using the snc_internal and snc_external roles has been a bonus. The last bit is sys_attachment issue.

0 Helpfuls

Go to solution
Sarup Paul
ServiceNow Employee
ServiceNow Employee
In response to mandle

‎01-03-2019 07:57 PM

Thanks for the quick and detailed response. I would suggest that you file a HI Incident and mention me in it. We will have our Dev team investigate. Please mention the release and patch details. 

Go to solution
mandle
Mega Guru

‎01-03-2019 08:11 PM

Copy that Sarup! Thank you.

0 Helpfuls