Best practice for setting up ACLs and groups architecture

jency83
Tera Guru

Hi guys, 

I am wondering what is your experience building a good ACL and groups architecture in a ServiceNow instance.

I have seen a few but they always comes with some comproimses. I am checking if anyone found an ideal solution. What I have seen so far

 

1. Simply having groups with roles assigned, then simply add users to groups

- Looks the easiest way but with many groups, it may get too complex and confusing for end user

1a. Link groups in parent/child relationship and assign roles properly

- Might be a bit better, but there can be exceptions adding again quite a lot of complexity

2. "Organizational" and "Permission" groups

- Assign various groups, one grants people membershing in assignment group, another one grants them a role

- This looks scalable, but you may need to request multiple group membership which is not much user friendly

 

Eventually I found an article by @SaschaWildgrube about personas. 4k+ views but not a single comment below. Is anyone using similar approach? I kinda like it. 

 

What is your experience?

5 REPLIES 5

Adrian Ubeda
Mega Sage
Mega Sage

Hello Jency83, 

From my perspective and based on my experience, I try to keep ACLs simple by focusing primarily on roles, avoiding excessive conditions. I prefer managing access through groups or roles rather than coding heavily on ACLs. Additionally, there's a feature called 'Data Filtration' that I find particularly useful when more complex logic is needed for table and record-level access. It's more flexible and powerful than traditional ACLs in those scenarios. So a combination of both could be a good approach.


I let you the doc's link about data filtration: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/dat...

 

 

If it was helpful, please give positive feedback! ✔
☆ Community Rising Star 22, 23 & 24 ☆

Ankur Bawiskar
Tera Patron
Tera Patron

@jency83 

I usually follow Group -> Role

Then you have the control about group membership and it will allow members to inherit roles.

Sometimes group members might require extra role outside group so you can give that as well.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Dr Atul G- LNG
Tera Patron
Tera Patron

Hi @jency83 

As per best practices, we always assign roles to groups and then add members to those groups. This approach is easier and more efficient.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

Yes, but for larger organizations the list of groups can be quite extensive and hard for users to find the proper group.