On the Question of Data Separation...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-24-2014 01:21 PM
The need to securely segment data between groups, departments, or even locations is constant, even within IT organizations. What organization doesn't have a particular group that is subject to extenuating compliance requirements that necessitate that their data remain hidden from the rest of the organization? As we delve deeper into the world of Enterprise Service Management, this need only grows. I have yet to find an HR organization that doesn't wish to keep their data separate from IT. Additional requirements for the financial department, medical organizations, etc only add to the complexity!
Historically, there have been 3 methods by which to attack this:
- Access Control Rules - These make sense at first glance, but can be a real drag on performance. For simple needs, field level security, and role-based security, you're all good! For complex scripted conditions, you'd best keep these at arm's length. Remember, that script with 2 GlideRecord queries that you built into that ACL is going to run for every single record on that 1.2 million record Incident table at Acme Corp, and every single time you view the table - that's potentially 2.4 million queries needed for a simple table list! Not to mention that your users will see that annoying "XX rows removed by security" message every time they view that list.
- Domain Separation - Pure power! Domain separation is a wonderful thing - separated and secured data between every domain; not to mention the ability to have separate processes for each domain - business rules, client scripts, and now even workflows that are unique to each domain in your instance! Sounds great, but make sure you know what you're getting into. The maintenance and testing requirements on a domain separated instance are far larger than a typical instance, and there is a financial uptick that comes with a license to use domain separation. If you need separated processes between domains, go for it! If you only need separated data, then this may be a hammer too big for the nail.
- Before Query Business Rules - These are en vogue these days, and for good reason! But, they can sound a bit intimidating. What exactly do they do? Well, before query business rules allow you to inject custom queries onto the front of every database access, so that you may limit the data returned according to whatever custom requirements you may have - these rules can be specific to particular tables and user sessions, providing a great deal of flexibility. The best part? Before query business rules only run once for each table access. So, compared to option 1 above (with the 2.4 million queries), this option only requires a single query - quite a bit more efficient, eh?
Note that each of the methods above apply to every database access - meaning that simple lists will be affected, but so will data returned in your CMS pages, your knowledge base, reference fields, etc. Each of these methods is equally secure and should be functionally identical to the end user. And each one has it's own valid use cases. So, which should you choose? Whenever I'm approached with this question, I generally have 3 golden rules:
- Are you segmenting data at the field level? In other words, do you want group A and group B to both have access to a given record, but only group B should be able to see field XYZ? If so, then Access Control Rules are your only option - the other options segment data at the record level.
- Do you require significantly different processes between group A and group B, as well as segmented data? Are there many such groups that each require their own processes and own data? If so, Domain Separation is your baby. There is some gray area here, as small levels of process differentiation are possible via simple code. But, for significant variations, DS all the way.
- In almost all other cases, go with Before Query Business Rules. They're relatively cheap, both financially and computationally, and they get the job done.
Disclaimer: Promotional Material Below...
Understanding that Golden Rule 3 will apply to most folks, and understanding that configuring before query business rules can be onerous, I've put together an application to simplify the process of building the most efficient business rules with the least amount of effort and time. This solution is available on ServiceNow Share currently, and has been road-tested heavily. Check out the video below, try it out in your dev instance, and see if it works for you!
Simple Record Separation on Share
For the latest supported release, visit Simple Separation on the ServiceNow Store
- Labels:
-
Multiple Versions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-24-2014 11:41 PM
Hi Ben, this is an excellent summary! One thing to complain about.... it comes tooo late I would have needed this some weeks ago already. I am sure it comes in handy again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2016 10:11 AM
Hi Ben, I'm trying to add an additional filter to your ultr-cool separation tool based on whether a user is a member of an assignment group AND has a specific role. I've tried several things, but...I'm not the greatest coder. Any ideas?
sepRecs();
function sepRecs(){
//Basic data separation query
var qc = current.addQuery('assignment_group', gs.getUser().getMyGroups().getUserRoles());
//Selective application queries
qc.addOrCondition('assignment_group', 'NOT IN', '6297e1416f630100244eeef11c3ee4b8');
qc.addOrCondition('assignment_group', '');
qc.addOrCondition(hasRole('ncpi')); //customized to filter on ncpi role
}
I appreciate any help you can provide.
Thanks,
Laurie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2016 11:21 AM
Hey Laurie,
If you want to *only* allow users who have the 'ncpi' role, you could take a couple of approaches:
- Use an ACL for that portion of the security. Set a role of 'ncpi' on the 'read' access control for the table in question. That way, only users with 'ncpi' will be able to view records at all, and the Simple Separation rule will kick in to only allow those users to see the records for their respective groups.
- Alternatively, you could add a bogus query to the Simple Separation rule in the event that the user didn't have the 'ncpi' role - that would ensure that the user sees no records if they don't have that role. Something like the below should work.
//Only run group queries if user has ncpi role
if (gs.getUser().hasRole('ncpi'))
sepRecs();
//If user does not have ncpi role, add bogus query instead
else
addBogusQuery();
function sepRecs(){
//Basic data separation query
var qc = current.addQuery('assignment_group', gs.getUser().getMyGroups().getUserRoles());
//Selective application queries
qc.addOrCondition('assignment_group', 'NOT IN', '6297e1416f630100244eeef11c3ee4b8');
qc.addOrCondition('assignment_group', '');
}
function addBogusQuery(){
//Add query that should always return NO records
//All records theoretically should have a sysID
var qc = current.addNullQuery('sys_id');
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2016 11:59 AM
Hey Ben,
What I'm trying to do is...if a user does NOT have the ncpi role, they should not see any records for the EMS assignment group. If they have the ncpi role, then they should be able to see all records. So...I tried this, but no luck:
//Only run group queries if user does not have ncpi role
if(!gs.getUser().hasRole('ncpi'))
sepRecs();
function sepRecs(){
//Basic data separation query
var qc = current.addQuery('assignment_group', gs.getUser().getMyGroups());
//Selective application queries
qc.addOrCondition('assignment_group', 'NOT IN', '6297e1416f630100244eeef11c3ee4b8');
qc.addOrCondition('assignment_group', '');
}
Thanks!
Laurie
