ACLs alone not enough to enforce security model

CarrieH
Tera Contributor

3 weeks ago

Give an example of a situation where ACLs alone were not enough to enforce the security model needed. How did you extend or supplement the controls?

0 Helpfuls
  • 537 Views
6 REPLIES 6

GlideFather
Tera Patron

3 weeks ago

Hi @CarrieH,

 

can you elaborate a bit more on "ACLs alone were not enough to enforce the security model needed"

 

With the ACLs you can effectively decide who can access what table and what fields and the access can be - viewing, creating, updating, deleting, list_view, reports.

 

Could you possibly explain a scenario where ACL wouldn't be sufficient mean of security?

_____
100 % GlideFather experience and 0 % generative AI

0 Helpfuls

Ankur Bawiskar
Tera Patron

3 weeks ago

@CarrieH 

not sure about your business requirement.

But many a times I have used Table.None READ ACL + Query BR on that table to restrict

For CSM -> You can use CSM Query Rules

For HRSD -> You can use HR COE Security Policies

For Sensitive Data such as PII -> You can use Column Level Encryption at field level which is free from ServiceNow and it supports few field types

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Ankur Bawiskar
Tera Patron
In response to Ankur Bawiskar

3 weeks ago

@CarrieH 

Hope you are doing good.

Did my reply answer your question?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

yashkamde
Mega Sage

3 weeks ago

Hello @CarrieH ,

 

Considering a situation, suppose we have a requirement in the Incident table where support agents should only see incidents assigned to their support group, while managers could see all incidents belonging to their department.
Initially, we can implement ACLs on the Incident table using conditions like checking if the user's group matched the assignment_group. This will work for basic record-level security. However, ACLs alone were not sufficient for more dynamic conditions.

This is we can extend the security model:
Before Business Rule Implement a Before Update BR to validate whether the user belongs to the selected assignment_group. If not, the update block with an error message.

 

Key point is you understand that ACL = access control, but complete security often requires multiple layers.

 

If my response helped mark as helpful and accept the solution.

0 Helpfuls