Hide table form in CSM portal

Szilard · ‎06-17-2024

Hello Community,

One of our users somehow figured out the logic of how to display table forms on the CSM interface (e.g., xxx.service-now.com/csm?id=form&table=incident). Is there any way to hide this from the user? Either with a "record not found" message or in some other way.

Thanks in advance!

Hayo Lubbers · ‎06-17-2024

Hi @Szilard ,

Limiting the page (form) is probably undesirable, so you need to make sure your ACL's are correct. If they don't have access, they can open a list or a form, but they will not see any data.

Regards,

Hayo

Sid_Takali · ‎06-17-2024

Hi @Szilard Define proper user roles https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0639072

or Use ACL debugging tools in service portal https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0755055

Regards,

Sid

KevinBellardine · ‎06-17-2024

This is expected behavior, Service Portal is designed to be modular with portals themselves having landing pages and links out, but pages can theoretically be viewed within any portal and don't belong to any specific one. This is a good thing, because it means that if you do want to use a page in multiple places you don't have to create multiple pages.

What's happening here is a smart user, who knows the system, is exposing a flaw in your security position. If you just don't want them to be able to see this page, but it's not a problem for them to see incidents per se, then create a user criteria and add it to the page. If they shouldn't be seeing incidents at all then you need to check your ACLs. The page is ultimately just another UI, the same base rules apply and if they can see something here they can likely see it somewhere else.