Symptoms

End users are able to view work notes though there are worknotes ACLs in place which restrict them from viewing it.

Release

All the available releases

Cause

The customer may have added have added the "Comments and Work Notes" field instead of "Comments" and "Work notes" fields separately. Since this is a separate field in the sys_dictionary for the task table, it will not evaluate the ACLs you have on "Work_notes".  

Resolution

To resolve the issue, you have to remove the "Comments and Worknotes" field from the corresponding view and add "Comments" and "Worknotes" separately along with the activity filtered.

Additional Information

"Comments and Work Notes" is a separate field and the users will need to have a separate ACL to hide this from users without any roles. They need to have ACLs defined limit read/write access to the users with different roles. Please find the sys_dictionary definition of the fields below. 

Comments and Work notes -

https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=82d2bcd26f321100a0619e4eae3ee4a1
Additional Comments -

https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=9d4034526f321100a0619e4eae3ee4f8 
Work notes -

https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=194074526f321100a0619e4eae3ee402