Protection of sensitive data

Dacki · ‎03-19-2024

Hello everyone !

I have several products on my servicenow platform (ITSM, SPM, etc...).
To secure the company's sensitive data, I would like to know if the different products are compartmentalized and separated. For example, ITSM users with ITSM roles cannot see SPM objects and tables, and vice versa.
How can I technically check this without testing by role and by table?
There's also the question of cross-functional tables such as the users table.

Do you have any idea how I can verify the strict separation between products and the confidentiality and security of sensitive data?
Perhaps "Data privacy", ACL.... are part of the solution?

Thank you in advance for your feedback.

Daniel Borkowi1 · ‎03-20-2024

Hi @Dacki,

as Platform Administrator I'm also interested what other uses for automated regular ACL Assessments, so I will follow this thread.

Two apps can help to verify Access on tables:

First you can use to check users and their access.

The Second App helps to understand changes made for users, groups, roles, and ACLs. But both are not directly what you are looking for.

Greets
Daniel

Please mark reply as Helpful/Correct, if applicable. Thanks!

View solution in original post

Ed Laar · ‎03-20-2024

Hi Dacki,

As far as I know data separation within an instance is realized by ACL's that are related to roles that are related to users or more ideal roles that are related to (role) groups. A user is a member of one or more groups and with that are granted to those roles and with that access rights and more are granted to the user.
OOB separations are done within products especially regarding for example CMDB and AMDB where not everyone can do everything in the related tables.

Foundation data tables like users and locations are commonly used throughout the system. This means that (almost) everyone should be able to select a user or a location but this does/ should not automatically mean that doing this all information about a user or location becomes visible for everyone.

Suggestion here is to consider minimal information that should be visible to do the users job (for example what info is needed to select a user in an Incident what can be very different on the user information that is needed to register an Asset) and tune the applicable ACL's on this.

Hope this helps.

Cheers,

Ed

WayneOdom · ‎03-20-2024

We have explored trying to ensure compartmentalization of access numerous times to tightly restrict certain data. We've worked with ServiceNow multiple times on this, the customer outcomes team(consultants), and other partners. It always comes own to ACL's and analyzing the visibility of the data from a user persona perspective. As Daniel pointed out, there are tools that help this, but they're not exactly what you want and you always have to go back and re-check the roles and groups. For instance, ServiceNow might make changes to roles on the upgrade of a product.(We recently experienced this) Now the way we detected the role change may interest you. Automated Test Framework. We use it to test catalog items on upgrades and it detected that people lost access ot certain data. We've talked about using it to detect access to the data we want to restrict on a persona basis.(basically contractors can't see it in our system)

Another option we didn't fully vet out was use of a scope application which would tightly control access to the data. But that doesn't sound relevant to your case as described.

Brenda Williams · ‎03-20-2024

Wayne,

Do you recommend any particular consultant that you have worked with in the past for this? We are looking at doing an assessment as well? Which roles were you impacted on during an upgrade and what version? We struggle with how many roles are actually embedded into other roles especially the itil.

Dacki · ‎03-21-2024

Hi Wayne,

You said that you struggle with how many roles are actually embedded into other roles especially the itil. We have exactly the same type of question.