prevent user accounts who may have itil or any other role that could access the sys_attachment table from utilizing "apis" to access those attachments
Wed Jan 13 2021 15:08:18 GMT+0000 (Coordinated Universal Time)
Saved by
@nhord2007@yahoo.com
#servicenow,variables,vip,icon,catalog,client,script
#servicenow,ui,script,uiscript
/* SW • Added 01/12/2021
** This was added to check for any non-interactive users (service accounts used for integrations)
** to ensure they only have access to attachments in which the record it is attached to is the
** same company as the service account.
*/
// Remove Prefix
var tableName = current.table_name;
if (tableName.startsWith("invisible."))
tableName = tableName.substring(10);
else if (tableName.startsWith("ZZ_YY"))
tableName = tableName.substring(5);
var parentRecord = new GlideRecord(tableName);
parentRecord.setWorkflow(false);
parentRecord.get(current.table_sys_id)
if (!gs.getSession().isInteractive())
return verifyReadAccessFromNonInteractiveUsers(parentRecord);
function verifyReadAccessFromNonInteractiveUsers(parentRecord) {
if ((gs.hasRole("snc_platform_rest_api_access")) && (parentRecord.canRead()) && (parentRecord.company == gs.getUser().getCompanyID()))
return true;
return false;
}
content_copyCOPY
this will prevent user accounts who may have itil or any other role that could access the sys_attachment table from utilizing "apis"
to access those attachments
this would be on the primary "read" ACL for sys_attachment
obviously you can add in more conditions like I did as far as saying if the record (parentRecord) the attachment is on(incident) company matches that of the service account(on sys_user), then allow those attachments
Example: If incident.company is same as sys_user.company, then allow
Comments