Work Notes Visible in Portal for Both Internal and External FormsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } In certain ServiceNow instances, work notes are inadvertently visible to all users, including internal and external user forms, which poses a potential security risk. The goal is to restrict access to work notes, ensuring that only authorized personnel can view them. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } All Releases supporting Service Portal Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } To resolve this issue, follow these steps: Step 1: Review the Case Requirements Before implementing any changes, it's essential to understand the specific requirements of your case. This will help you determine the necessary access controls and ensure that the solution meets your needs. Step 2: Adjust Existing Read ACLs or Create New Deny Unless ACLs To restrict access to work notes, you'll need to adjust the existing read ACLs or create new 'deny unless' ACLs. These ACLs will control read access to the work notes, ensuring that only authorized users can view them. Step 3: Set Conditions for Deny Unless ACLs Using Deny Unless ACLs, you can set conditions that determine which users are allowed to evaluate read ACLs. This allows you to fine-tune access controls and ensure that only authorized personnel can view work notes. Step 4: Ensure Existing Allow If ACLs Finally, ensure that users have existing allow if ACLs. If they don't, you'll need to create them to ensure that authorized users can view work notes. Example ACL Script:Here's a basic example of an ACL script that restricts access to work notes: (function executeRule(current, previous /*null when async*/) { // Define the roles that are allowed to view work notes var allowedRoles = ['admin', 'agent']; // Check if the current user has one of the allowed roles if (!allowedRoles.includes(gs.getUser().getRoles())) { // If not, deny access to work notes current.setValue('work_notes', 'Restricted'); }})(current, previous); This script checks if the current user has one of the allowed roles (in this case, 'admin' or 'agent'). If not, it denies access to the work notes by setting the value to 'Restricted'. Note: This is a basic example and may need to be modified to fit your specific use case. Additionally, this script should be used in conjunction with other ACLs and access controls to ensure that work notes are properly restricted. Best Practice:To ensure that work notes are properly restricted, it's essential to regularly review and update your ACLs and access controls. This will help prevent unauthorized access and ensure that sensitive information is protected. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } Work Notes and Comments related Knowledge Articles:End users are able to view work notes though there are worknotes ACLs in place which restrict them from viewing it Additional Comments and Work Notes are incorrectly placed where the Filtered Activities are located Work notes/Additional comments field is not visible.