The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Email Access Restriction not working - still visible

Jens Mogensen
Kilo Guru

‎05-22-2024 07:27 AM

This seems like such a straigtforward function but I cannot find any reason why this isn't working.

 

I have a notification which is triggered by an event which is triggered by a Run Script in my workflow. The event works/the mail is sent. I then made this Email Access Restriction:

Screenshot 2024-05-22 at 16.22.50.png

In other words, the Notification should be visible in the activity log when the ticket is open and invisible when the ticket is closed. But the notification is still visible on the ticket when we close it. Why?

 

Any tips would be much appreciated.

0 Helpfuls
  • 832 Views
6 REPLIES 6

James Chun
Kilo Patron

‎05-22-2024 01:54 PM

Hi @Jens Mogensen,

 

Can you try simplifying the condition? For example, change it to active = true.

Also, make sure the OOB read ACL on the email [sys_email] table is not customized - {your instance}/nav_to.do?uri=sys_security_acl.do?sys_id=8de12cdfc0a8016701fdf6b2bdb041cb

 

Cheers

Jens Mogensen
Kilo Guru
In response to James Chun

‎05-23-2024 08:06 AM

I tried setting the condition to just be active = true but no change.

I don't believe I've ever edited that ACL. It currently looks like this in the script. Reading scripts is not my strong suit but it doesn't look like there is anything bespoke that should prevent an Email Access Restriction from working:

 

answer = canRead(current);

function canRead(emailGr) {
function execute() {
if (!emailGr || !emailGr.isValidRecord())
return false;

var type = emailGr.getValue("type");

if (type !== "received" && type !== "received-ignored") {
var notificationId = getNotificationIdFromHeaders() || getNotificationIdFromLog();
if (notificationId) {
var emailAccessRestriction = getAccessRestrictionByNotification(notificationId);
if (emailAccessRestriction)
return processEmailAccessRestriction(emailAccessRestriction);
}
}

return canReadTargetRecord();
}

function processEmailAccessRestriction (emailAccessRestriction) {
var conditions = emailAccessRestriction.getValue("conditions");
if (!conditions)
return false;

var targetRecord = getTargetRecord();
if (!targetRecord)
return false;

return GlideFilter.checkRecord(targetRecord, conditions);
}

function canReadTargetRecord() {
if (emailGr.target_table.nil() || emailGr.target_table == "sys_email") {
if (gs.getProperty("glide.email.email_with_no_target_visible_to_all") == "true")
return true;
return gs.getUserID() == emailGr.user_id;
}

var targetRecord = getTargetRecord();

return (targetRecord !== null && targetRecord.canRead());
//Check the table is valid........the record can be seen(see below) ....and can be read by the current user
//The can be seen check is to make sure that the record is not hidden by a before query rule or by company/domain separation.
}

function getNotificationIdFromLog() {
var sysEmailLog = new GlideRecord('sys_email_log');
sysEmailLog.get("email", emailGr.getUniqueValue());

return sysEmailLog.getValue("notification");
}

function getNotificationIdFromHeaders() {
var REGEX_SRC_HDR_INDEX = 1;
var REGEX_EXPECTED_RESULT_SIZE = 2;

var eventIdExtractor = /X-ServiceNow-Source:\s*Notification-(\w+)/;
var regExResult = eventIdExtractor.exec(emailGr.headers);

return (regExResult !== null && regExResult.length === REGEX_EXPECTED_RESULT_SIZE) ?
regExResult[REGEX_SRC_HDR_INDEX] : null;
}

function getAccessRestrictionByNotification(notificationId) {
var emailAccessRestriction = new GlideRecord("email_access_restriction");

return emailAccessRestriction.get("notification", notificationId) ? emailAccessRestriction : null;
}

function getTargetRecord() {
if (emailGr.target_table.nil())
return null;

var targetRecord = new GlideRecord(emailGr.target_table);
return (targetRecord.get(emailGr.instance) && targetRecord.isValidRecord()) ? targetRecord : null;
}

return execute();
}
0 Helpfuls

Jens Mogensen
Kilo Guru

‎05-23-2024 08:40 AM

I feel silly now. Apparently the email access restriction IS working. I hadn't thought about admin rights overruling it. I tried impersonating an agent and the mail body IS invisible to them. This is great.

 

Just one niggle. They can still see what email address the notification is sent to. Is there anyway to hide this? Example: I want to make test@test.dk invisible (or just that specific activity entry):

Screenshot 2024-05-23 at 17.31.03.png

0 Helpfuls

James Chun
Kilo Patron
In response to Jens Mogensen

‎05-23-2024 12:33 PM

Although I have not tested this (as PDI doesn't allow sending emails), it might be possible to hide it by creating a field-level ACL on the [sys_email] table.

However, I do want to point out it could result in repercussions hence I wouldn't recommend it.