Before Query Business Rule for Role based list

JahanzebB · ‎02-19-2018

I have several organizations within my ServiceNow instance and would like to limit access (view, edit) to only tickets that are assigned to a group from the User's organization. Item 4 in the following article "What everyone should know about ServiceNow Security" talks about Row Level Read ACL exception. When setting up ACLs to some of the rows within the table, I came across the same issue with the Incident table view.

I would like to take advantage of the Before query rule to avoid the creating multiple ACLs for Assignment groups in my organization. What other alternative solutions with ACLs are available to avoid the issue that Mark Stanger has identified in item 4?

https://www.servicenowguru.com/showcase/servicenow-security-tips/

Thanks,

Jahanzeb

Ulrich Jugl · ‎02-19-2018

Jahanzeb,

I'm not sure if I got your point. In general you should consider to create an ACL to limit row level access to the records. There is no need to create multiple ACLs. In general you will need:

<table> - this is the ACL which allows read on the table and rows and you should grant it to all users you want to read the data

<table>.* - this is the ACL which will allow row level access to all the fields

<table>.<field> - this is the ACL which will allow read access to one specific field

What you would need to do is

- Deactivate the OOTB ACLs, so you are sure that they are not overriding your security

- Setup a new ACL for <table> which holds a script and the roles you want. In the script, you can use gs.getUser().getCompanyID() to compare to current.assignment_group.<company_field>

If you are unsure on how all this can be done and are not that firm in scripting, I propose you take a look at Simple Separation on share. It actually allows you to configure with a UI on what you want.

JahanzebB · ‎02-19-2018

Ulrich,

Thank you for the response and general background information. This really helps understand additional options. For this particular case, I disable the OOTB Incident Table Read ACL with description "itil role required to read incident records". Following that I created new ACLS that would be role based for one of the Organization. This end result is that Incidents are displayed in the order they are created. So an ACL created 1 a month ago is the first on the list while 99 records are removed/not displayed.

Unless the user modifies their table display to "Show > 100 records per page". The list of incidents can be easily missed.

Note that there are also additional records on the following page.

At the end of the day, only using ACLs will limit which records a User can view/edit and also requires additional training to make sure they can view all the records regardless of the date it was created. Was interested to see if there was an OOTB solution that ServiceNow has developed over the years to address this. Or perhaps another way to configure the ACL.

I am reading up the Simple Separation link provided. At first glance, my only reservation is that this is not fully supported anymore by the Developer.

Thanks,
Jahanzeb