Access to attachments via link without access to table
Tue, 01/29/2013 - 12:08 — jmuomini
Hi,
I've recently implemented a Technical Service Request form in my change table. As part of the approval process a notification is sent to an approver with ticket details and links to file attachments. The approver does not have a process license and does not have access to the change table. They read the ticket details and click on an "approved" or "rejected" link to send a reply email. They want to be able to view any attached files, which I have linked to using the code below. Licensed users with read access to the table can click through to the attachments, but unlicensed users don't click through and just hang trying to read the sys ID. Is there a way to grant access to the attachments without access to the record housing them?
Thanks, Jim
<mail_script> printattachments(); function printattachments() { var gr = new GlideRecord('sys_attachment'); gr.addQuery('table_sys_id',current.sys_id); gr.query(); while (gr.next()) { template.print('Attachment: <a href="https://usf.service-now.com/sys_attachment.do?sys_id=' + gr.sys_id + '">' + gr.file_name + '</a>\n'); } } </mail_script>
Jim Uomini
Service Level Manager
Information Technology Services
University of San Francisco
jmuomini@usfca.edu
This question is marked as 'answered' or not needing a response
Second ACL on Change
I tried adding a second read ACL on change that grants a new role access when tsr is true. But the records are removed from the user's view due to security constraints. I can't see a rule that is blocking it. I even temporarily removed the original itil access but it was still blocked. I don't see an obvious script that is doing it, such as the incident query script.
Does anyone have a suggestion for what might be blocking my new role from reading the change records?
Thanks
Jim Uomini
Service Level Manager
Information Technology Services
University of San Francisco
jmuomini@usfca.edu
If your Condition is met and
If your Condition is met and the user has one of the required roles, that should be sufficient. If you impersonate a user with that role and type "change_request.list" in the nav filter, do you not see the Changes where tsr is true?
If not, try clicking the Debug Security Rules module before impersonating the user, and see what sort of output you get. If a rule is blocking you, you should see it. You'll likewise see if a rule allows access.
Forgot a step
OK, bone-head move, I created a role and group, but forgot to add the role to the group. Thanks for pointing me in the right direction to troubleshoot it.
For some reason I'm getting an "Requested attachment does not exist" error now in Dev, which I wasn't getting in Prod, but that's a different problem. It isn't role-specific.
Thanks again for your help CapaJC.
Jim Uomini
Service Level Manager
Information Technology Services
University of San Francisco
jmuomini@usfca.edu
Thanks CapaJC
Thanks CapaJC
Jim Uomini
Service Level Manager
Information Technology Services
University of San Francisco
jmuomini@usfca.edu
Standard Read ACL on
Standard Read ACL on sys_attachment prevents access if you can't read the parent record. You could mess with that ACL a bit, or provide a second ACL to grant read access to specific roles or under certain circumstances...