On the Question of Data Separation...

ben_hollifield · ‎07-24-2014

The need to securely segment data between groups, departments, or even locations is constant, even within IT organizations. What organization doesn't have a particular group that is subject to extenuating compliance requirements that necessitate that their data remain hidden from the rest of the organization? As we delve deeper into the world of Enterprise Service Management, this need only grows. I have yet to find an HR organization that doesn't wish to keep their data separate from IT. Additional requirements for the financial department, medical organizations, etc only add to the complexity!

Historically, there have been 3 methods by which to attack this:

Access Control Rules - These make sense at first glance, but can be a real drag on performance. For simple needs, field level security, and role-based security, you're all good! For complex scripted conditions, you'd best keep these at arm's length. Remember, that script with 2 GlideRecord queries that you built into that ACL is going to run for every single record on that 1.2 million record Incident table at Acme Corp, and every single time you view the table - that's potentially 2.4 million queries needed for a simple table list! Not to mention that your users will see that annoying "XX rows removed by security" message every time they view that list.
Domain Separation - Pure power! Domain separation is a wonderful thing - separated and secured data between every domain; not to mention the ability to have separate processes for each domain - business rules, client scripts, and now even workflows that are unique to each domain in your instance! Sounds great, but make sure you know what you're getting into. The maintenance and testing requirements on a domain separated instance are far larger than a typical instance, and there is a financial uptick that comes with a license to use domain separation. If you need separated processes between domains, go for it! If you only need separated data, then this may be a hammer too big for the nail.
Before Query Business Rules - These are en vogue these days, and for good reason! But, they can sound a bit intimidating. What exactly do they do? Well, before query business rules allow you to inject custom queries onto the front of every database access, so that you may limit the data returned according to whatever custom requirements you may have - these rules can be specific to particular tables and user sessions, providing a great deal of flexibility. The best part? Before query business rules only run once for each table access. So, compared to option 1 above (with the 2.4 million queries), this option only requires a single query - quite a bit more efficient, eh?

Note that each of the methods above apply to every database access - meaning that simple lists will be affected, but so will data returned in your CMS pages, your knowledge base, reference fields, etc. Each of these methods is equally secure and should be functionally identical to the end user. And each one has it's own valid use cases. So, which should you choose? Whenever I'm approached with this question, I generally have 3 golden rules:

Are you segmenting data at the field level? In other words, do you want group A and group B to both have access to a given record, but only group B should be able to see field XYZ? If so, then Access Control Rules are your only option - the other options segment data at the record level.
Do you require significantly different processes between group A and group B, as well as segmented data? Are there many such groups that each require their own processes and own data? If so, Domain Separation is your baby. There is some gray area here, as small levels of process differentiation are possible via simple code. But, for significant variations, DS all the way.
In almost all other cases, go with Before Query Business Rules. They're relatively cheap, both financially and computationally, and they get the job done.

Disclaimer: Promotional Material Below...

Understanding that Golden Rule 3 will apply to most folks, and understanding that configuring before query business rules can be onerous, I've put together an application to simplify the process of building the most efficient business rules with the least amount of effort and time. This solution is available on ServiceNow Share currently, and has been road-tested heavily. Check out the video below, try it out in your dev instance, and see if it works for you!

Simple Record Separation on Share

For the latest supported release, visit Simple Separation on the ServiceNow Store

Laurie Marlowe1 · ‎11-02-2016

Looks like only the Short Description shows up on the VTB, but none of the other fields.

Thanks,

Laurie

Steven Parker · ‎06-19-2017

Hi Ben,

We are struggling with Record Separation and I've come across your tool. My question is, how do you feel it will work going forward in future releases?

My concern is relying on a tool, that stops working in the future, and then we are left back at square one again.

We essentially need, for example, our Security Department Team, to only see TASK assigned to them. Even if they click ALL in the list filter, they still only see Task assigned to their Assignment Group. We also don't want other ITIL users seeing the Security Department Team task. So we want to segment Security Department Team task to only be seen by their team and not allow them to see other Task outside of their department.

Will your tool accomplish that type of thing?

Please mark this response as correct and/or helpful if it assisted you with your question.
Steven

ben_hollifield · ‎06-19-2017

Hey Steven,

There are no guarantees, but I think you'd be in good shape. Simple Separation does exactly the kind of record separation that you speak of, and it has been quietly chugging along for several releases with no issues. It utilizes basic platform functionality (beforeQuery Business Rules) to accomplish the separation, so there are no hacks or funny business to rely on, just foundational functionality built into ServiceNow.

There's always the chance that things will change down the road, but right now I'd feel very confident recommending Simple Separation as a solution for you.

Brett14 · ‎06-21-2017

Hi Ben,

I do have a question about the tool you created. My requirement is for example using database group.

Separate by assignment group and selectively applies to 'Database' group. This works wonderfully...

However my second layer of restriction is that the 'Database' group should only see there tickets and no other incident records. For example, if a member of the DB group is logged in and when navigating to Incidents-->open they should only see DB records in the list.

I am guessing this will have to be done by checking customize query, but how? Would I then have to create a role?

Any suggestions

ben_hollifield · ‎06-21-2017

Hey Brett - you would need to customize the query. If I understand your need correctly, it should be straightforward. Basically, you'll take the query as it stands from the initial setup, but then omit the 2nd 2 terms (the terms that open up all incidents non-assigned or assigned to non-separated groups) *only* for members of the database group. That could look something like this:

sepRecs();


function sepRecs(){

   //Basic data separation query

   var qc = current.addQuery('assignment_group', gs.getUser().getMyGroups());


   //Selective application queries for users except those in the Database group

   if (gs.getUser().getMyGroups().indexOf('287ee6fea9fe198100ada7950d0b1b73') == -1){

       qc.addOrCondition('assignment_group', 'NOT IN', '287ee6fea9fe198100ada7950d0b1b73');

       qc.addOrCondition('assignment_group', '');

   }

}

Note the 'if' statement where we assess if one of the user's groups is 'Database' and, if so, we ignore the additional query terms so that they are limited completely to incidents in groups that they are members of.

I hope that gets you going in the right direction!