Issue
Description
The necessity may arise in which the administrator of a ServiceNow instance prefers to limit the capability to add attachments to a specific set of users on an instance. This capability does exist in the platform and the following article will describe how this might be done.
Procedure
The procedure to accomplish this consists of adjusting a specific system property to include specific group names containing users who should be able to add attachments to records on the system. The following describes these steps in detail:
Log into the instance with an account having admin rights to the instance.
Browse to the following location on the instance: System Properties -> Security.
Scroll through the list of System Properties that appear on this Security Properties page with the heading List of roles that can create attachments.
In the text field below the heading, add a list of role names from the system which should be allowed to add attachments to records on the instance. Each role name should be delineated by a comma (,) but no spaces should be included.
The default out-of-box setting for this system property is "public". This special value or a blank value indicates there are no restrictions on roles or users who can add attachments to records on the instance.
Once the list is populated with the necessary roles, click one of the Save buttons on the page. One such button is found at the top of the page and another at the bottom.
One option some customers might use who want to limit the users who can include attachments to records is to create a new group (i.e. attachment_users) that can add such attachments and then associate this group to other roles, users or groups as needed to ensure all the users who might need to add attachments are included.
Additional Information
It should be noted that since this is controlled by a System Property, this property can be adjusted directly from the sys_properties table if needed, but it is usually recommended to adjust it from the Security System Properties page as described above. However, if the property needs to be adjusted from the sys_properties table, the property name is glide.attachment.role and is found in the sys_properties table.
The following page briefly describes this property and several other that handle the behavior of attachments on the instance:
Uploading of all attachments can also be restricted on a per table basis through usage of a special attribute added to the Collection Dictionary record for a table. The following article describes this capability as well as the steps to perform this restriction (or remove the restriction):
https://support.servicenow.com/kb_view.do?sysparm_article=KB0718491
