User with role 'approver_user' is unable to download/READ the attachments attached to a CHG record.Description<!-- div.margin { padding: 10px 40px 40px 30px; } table.tocTable { border: 1px solid; border-color: #e0e0e0; background-color: #fff; } .title { color: #d1232b; font-weight: normal; font-size: 28px; } h1 { color: #d1232b; font-weight: normal; font-size: 21px; margin-bottom: 5px; border-bottom-width: 2px; border-bottom-style: solid; border-bottom-color: #cccccc; } h2 { color: #646464; font-weight: bold; font-size: 18px; } h3 { color: #000000; font-weight: bold; font-size: 16px; } h4 { color: #666666; font-weight: bold; font-size: 15px; } h5 { color: #000000; font-weight: bold; font-size: 13px; } h6 { color: #000000; font-weight: bold; font-size:14px; } ul, ol { margin-left: 0; list-style-position: outside; } --> Symptoms User with only 'Approver_User' role not able to view the attachment of the change request. Release Kingston, London, Madrid Cause All the existing ACL's of 'read' type is failing for users with 'approver_user' role and thereby restricting the user to download/view the attachments. Resolution In order to change this existing behavior and allow all users with 'approver_user' role to access attachments on their approval record, we need to create a new READ type ACL. This ACL should be defined on the sys_attachment table and should contain 'approver_user' in the roles embedded list and the script should be returning 'true' only if the approval record is associated with a change request and assigned to the current logged in user. The ACL script should be something like below: var answer = false;if(current.table_name == "change_request") { var gr = new GlideRecord('sysapproval_approver'); gr.addEncodedQuery('sysapproval='+current.table_sys_id); gr.query(); while(gr.next()){ if(gr.approver == gs.getUserID()) answer = true; }} Now, impersonate with 'Approver User' and access any approval record for CHG record that has attachments. The user should be able to view/download the attachments as expected. Additional Information NOTE: This is only one of the ways to achieve this business use case and ServiceNow Administrators are free to make any modifications/tweaks to the SCRIPT of the ACL.