prevent user accounts who may have itil or any other role that could access the sys_attachment table from utilizing "apis" to access those attachments

PHOTO EMBED

Wed Jan 13 2021 15:08:18 GMT+0000 (Coordinated Universal Time)

Saved by @nhord2007@yahoo.com #servicenow,variables,vip,icon,catalog,client,script #servicenow,ui,script,uiscript 

 /* SW • Added 01/12/2021
    ** This was added to check for any non-interactive users (service accounts used for integrations)
    ** to ensure they only have access to attachments in which the record it is attached to is the
    ** same company as the service account.
    */
    
    // Remove Prefix
    var tableName = current.table_name;
    if (tableName.startsWith("invisible."))
        tableName = tableName.substring(10);
    else if (tableName.startsWith("ZZ_YY"))
        tableName = tableName.substring(5);

    var parentRecord = new GlideRecord(tableName);
    parentRecord.setWorkflow(false);
    parentRecord.get(current.table_sys_id)

    if (!gs.getSession().isInteractive())
        return verifyReadAccessFromNonInteractiveUsers(parentRecord);

    function verifyReadAccessFromNonInteractiveUsers(parentRecord) {
      if ((gs.hasRole("snc_platform_rest_api_access")) && (parentRecord.canRead()) && (parentRecord.company == gs.getUser().getCompanyID()))
        return true;
      return false;
    }
content_copyCOPY

this will prevent user accounts who may have itil or any other role that could access the sys_attachment table from utilizing "apis" to access those attachments this would be on the primary "read" ACL for sys_attachment obviously you can add in more conditions like I did as far as saying if the record (parentRecord) the attachment is on(incident) company matches that of the service account(on sys_user), then allow those attachments Example: If incident.company is same as sys_user.company, then allow