Flow context and ACLs on items the flows are related to

Go to solution
Daniel Peel
Mega Sage

‎02-23-2024 09:58 AM

So I was curious, if anyone else had seen this or did anything to address it.  

 

When we used Workflow, they don't show a lot of context around what is actually happening inside the workflow... when users would click on the Show Workflow related link they would where an item was in the workflow but not really be able to see any of the variable data etc inside the workflow. 

 

Now with Flow's, if you have the option to see a flow context, what should be the similar function to Show Workflow... you can see all the related variable and processing data related to it.  Also even if you aren't allowed to see a record, say an HR Cat Item,  you can still view the flow context related to it.  This opens up some PII issues.

 

Not allowing anyone to see the Operations view, blinds users that used to be able to see where something was in the process with Workflows.  

 

Has anyone been able to bridge that gap... flow content filtering doesn't really apply to the context's... I could edit the ACLs for sys_flow_context but was wondering if I might be missing a configuration option

0 Helpfuls
  • 1,347 Views
1 ACCEPTED SOLUTION

Go to solution
Allen Andreas
Administrator
Administrator

‎02-23-2024 12:58 PM - edited ‎02-23-2024 01:00 PM

Hi,

This sounds like you may have full reporting turned on for Flow Designer, which allows you to see even more into the process (I assume by you saying a PII concern, then you're looking at runtime values). Normally, by default, runtime values are only visible when you test a flow/subflow/action.

But...if someone has turned that on, especially in Prod, then yes, it opens to door to more visibility when really...it's not needed in a Production environment (all the time).

 

I'd recommend adjusting your flow reporting to a lower level, especially in Prod, and only change it when needed. Dev...yeah, maybe it stays on, but Prod, no.

 

Lowering it still allows visibility into the flow, but not too deep. Otherwise, your stages should really be configured as well to help be as transparent as you can without even needing to climb into the flow.

 

https://docs.servicenow.com/bundle/washingtondc-build-workflows/page/administer/flow-designer/task/e... 


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
Allen Andreas
Administrator
Administrator

‎02-23-2024 12:58 PM - edited ‎02-23-2024 01:00 PM

Hi,

This sounds like you may have full reporting turned on for Flow Designer, which allows you to see even more into the process (I assume by you saying a PII concern, then you're looking at runtime values). Normally, by default, runtime values are only visible when you test a flow/subflow/action.

But...if someone has turned that on, especially in Prod, then yes, it opens to door to more visibility when really...it's not needed in a Production environment (all the time).

 

I'd recommend adjusting your flow reporting to a lower level, especially in Prod, and only change it when needed. Dev...yeah, maybe it stays on, but Prod, no.

 

Lowering it still allows visibility into the flow, but not too deep. Otherwise, your stages should really be configured as well to help be as transparent as you can without even needing to climb into the flow.

 

https://docs.servicenow.com/bundle/washingtondc-build-workflows/page/administer/flow-designer/task/e... 


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Go to solution
Daniel Peel
Mega Sage
In response to Allen Andreas

‎02-23-2024 01:49 PM - edited ‎02-23-2024 01:49 PM

Actually yes, we did have it set to developer trace, at the global property value... thanks for calling that out.  I don't remember setting it to that lol.  

 

I did turn this to flow only and while it did remove that data from the flow operations context it did have other unintended issues... not all actions even show as completing, which kind of defeats the purpose and if I turn on flows and actions, now we again have runtime data.  

 

We definitely use stages, and for most that is enough, but not all flows have stages to navigate.  But thanks for pointing that out... it solved the issue as I saw it and now we'll need to look at what we really do need and what we don't... because the trace is wonderful to have 🙂 

0 Helpfuls

Go to solution
Allen Andreas
Administrator
Administrator
In response to Daniel Peel

‎02-23-2024 02:40 PM

Hi,

Sounds good. Feel free to drop a reply back here if something else comes up you want to talk about with it all. I definitely agree it's awesome to be able to see everything.


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls