When "Explicit Roles" plugin is activated standalone, sys_attachment records related to records snc_external users can read are not available

mandle · ‎01-03-2019

Environment Details:

"Explicit Roles" plugin is activated by ServiceNow standalone from Customer Service Management
User has been granted snc_external role.
kb_knowledge record is in a kb_knowledge_base where User Criteria "Can Read" is set to allow users with snc_external to read articles in that Knowledge Base.
kb_knowledge record has 1 or more attachments.

Issue:

Attachments cannot be downloaded for these snc_external users.

What are the SAFE AND SECURE adjustments that need to be made to sys_attachment Access Controls?

Note: This instance does have Kingston HRSD but not Kingston CSM in use.

READ ACLS on sys_attachment that fail

One of them is for attachments to sc_cart so that's not an issue.
This one does seem to be the issue: https://somekingstoninstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e02590038464

mandle · ‎01-14-2019

Sarup,

Good news. HI determined there was no risk to add the "snc_external" role to this sys_attachment ACL:
https://someinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e0...

Once we added "snc_external" to the ACL then users with the snc_external role is able to download or view attachments to records they are allowed to read.

Thanks for your help!

View solution in original post

mandle · ‎01-14-2019

Sarup,

Good news. HI determined there was no risk to add the "snc_external" role to this sys_attachment ACL:
https://someinstance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=0bcf23740a6a38d400c7e0...

Once we added "snc_external" to the ACL then users with the snc_external role is able to download or view attachments to records they are allowed to read.

Thanks for your help!