Best practice for setting up ACLs and groups architecture
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hi guys,
I am wondering what is your experience building a good ACL and groups architecture in a ServiceNow instance.
I have seen a few but they always comes with some comproimses. I am checking if anyone found an ideal solution. What I have seen so far
1. Simply having groups with roles assigned, then simply add users to groups
- Looks the easiest way but with many groups, it may get too complex and confusing for end user
1a. Link groups in parent/child relationship and assign roles properly
- Might be a bit better, but there can be exceptions adding again quite a lot of complexity
2. "Organizational" and "Permission" groups
- Assign various groups, one grants people membershing in assignment group, another one grants them a role
- This looks scalable, but you may need to request multiple group membership which is not much user friendly
Eventually I found an article by @SaschaWildgrube about personas. 4k+ views but not a single comment below. Is anyone using similar approach? I kinda like it.
What is your experience?
- Labels:
-
Architect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hello Jency83,
From my perspective and based on my experience, I try to keep ACLs simple by focusing primarily on roles, avoiding excessive conditions. I prefer managing access through groups or roles rather than coding heavily on ACLs. Additionally, there's a feature called 'Data Filtration' that I find particularly useful when more complex logic is needed for table and record-level access. It's more flexible and powerful than traditional ACLs in those scenarios. So a combination of both could be a good approach.
I let you the doc's link about data filtration: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/dat...
☆ Community Rising Star 22, 23 & 24 ☆
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
I usually follow Group -> Role
Then you have the control about group membership and it will allow members to inherit roles.
Sometimes group members might require extra role outside group so you can give that as well.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hi @jency83
As per best practices, we always assign roles to groups and then add members to those groups. This approach is easier and more efficient.
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Yes, but for larger organizations the list of groups can be quite extensive and hard for users to find the proper group.