The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Unable to hide added attachment on the ticket for the users who do not have read access to the ticke

Priya Singh 2 2
Tera Contributor

4 weeks ago

Hello Team,

 

My requirement is that I need to give read only access on one table for ex - test_xyz to opened by and members of a group (abc group), when I choose one CI & a defined location so rest of the users shouldn't have access to view anything on the ticket but what is happening if any attachment added to that ticket that is showing to the users who even don't have any access to it 

 

What I did: I created 2 read acls one on table.none and another one on table.* by mentioning applies to condition like CI is this and location is this following below script :

 

answer=false;

if(gs.getUserID() == current.opened_for){

    answer = true;

}else if(gs.getUser().isMemberOf('abc group')){

    answer = true;

}else{

    answer = false;

}

 

But what is happening users who are not part of this group or opened by can also see attachment added to ticket and can add attachment which is the the right thing how I can achieve this requirement by following best practice.

PriyaSingh22_0-1756318422595.png

Also this user without access can attach the document, please assist to fix it by best practice

 

Thanks,

XXX

 

 

 

0 Helpfuls
  • 258 Views
1 REPLY 1

kaushal_snow
Mega Sage

4 weeks ago

Hi @Priya Singh 2 2 ,

 

Attachments are stored in the sys_attachment table, which is separate from your custom test_xyz ticket table. So ACLs applied to your ticket table don't automatically apply to attachments. By default, OOB read ACLs on sys_attachment allow access broadly, meaning even users without access to the ticket record may still see attachments. Simply controlling access on the parent table isn't enough, you must explicitly control access at the attachment level.

 

1. A common workaround is to create a custom Boolean field (something like u_private) on sys_attachment and use it to flag attachments that should be hidden from non authorized users.

 

2. You can enforce more granular control using a Deny Unless ACL that restricts attachment visibility based on ownership or group membership.

 

If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.

 

 

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
0 Helpfuls