On the Question of Data Separation...

ben_hollifield · ‎07-24-2014

The need to securely segment data between groups, departments, or even locations is constant, even within IT organizations. What organization doesn't have a particular group that is subject to extenuating compliance requirements that necessitate that their data remain hidden from the rest of the organization? As we delve deeper into the world of Enterprise Service Management, this need only grows. I have yet to find an HR organization that doesn't wish to keep their data separate from IT. Additional requirements for the financial department, medical organizations, etc only add to the complexity!

Historically, there have been 3 methods by which to attack this:

Access Control Rules - These make sense at first glance, but can be a real drag on performance. For simple needs, field level security, and role-based security, you're all good! For complex scripted conditions, you'd best keep these at arm's length. Remember, that script with 2 GlideRecord queries that you built into that ACL is going to run for every single record on that 1.2 million record Incident table at Acme Corp, and every single time you view the table - that's potentially 2.4 million queries needed for a simple table list! Not to mention that your users will see that annoying "XX rows removed by security" message every time they view that list.
Domain Separation - Pure power! Domain separation is a wonderful thing - separated and secured data between every domain; not to mention the ability to have separate processes for each domain - business rules, client scripts, and now even workflows that are unique to each domain in your instance! Sounds great, but make sure you know what you're getting into. The maintenance and testing requirements on a domain separated instance are far larger than a typical instance, and there is a financial uptick that comes with a license to use domain separation. If you need separated processes between domains, go for it! If you only need separated data, then this may be a hammer too big for the nail.
Before Query Business Rules - These are en vogue these days, and for good reason! But, they can sound a bit intimidating. What exactly do they do? Well, before query business rules allow you to inject custom queries onto the front of every database access, so that you may limit the data returned according to whatever custom requirements you may have - these rules can be specific to particular tables and user sessions, providing a great deal of flexibility. The best part? Before query business rules only run once for each table access. So, compared to option 1 above (with the 2.4 million queries), this option only requires a single query - quite a bit more efficient, eh?

Note that each of the methods above apply to every database access - meaning that simple lists will be affected, but so will data returned in your CMS pages, your knowledge base, reference fields, etc. Each of these methods is equally secure and should be functionally identical to the end user. And each one has it's own valid use cases. So, which should you choose? Whenever I'm approached with this question, I generally have 3 golden rules:

Are you segmenting data at the field level? In other words, do you want group A and group B to both have access to a given record, but only group B should be able to see field XYZ? If so, then Access Control Rules are your only option - the other options segment data at the record level.
Do you require significantly different processes between group A and group B, as well as segmented data? Are there many such groups that each require their own processes and own data? If so, Domain Separation is your baby. There is some gray area here, as small levels of process differentiation are possible via simple code. But, for significant variations, DS all the way.
In almost all other cases, go with Before Query Business Rules. They're relatively cheap, both financially and computationally, and they get the job done.

Disclaimer: Promotional Material Below...

Understanding that Golden Rule 3 will apply to most folks, and understanding that configuring before query business rules can be onerous, I've put together an application to simplify the process of building the most efficient business rules with the least amount of effort and time. This solution is available on ServiceNow Share currently, and has been road-tested heavily. Check out the video below, try it out in your dev instance, and see if it works for you!

Simple Record Separation on Share

For the latest supported release, visit Simple Separation on the ServiceNow Store

Brett14 · ‎06-22-2017

Hi Ben,

That worked seamlessly for Incidents. Crazy how simple this is and all I had to do was add one small addition to the custom query. On to Service Requests POV

Brett14 · ‎06-27-2017

Hi Ben,

I need to create a custom glide_list field for the RITM field to be a separator. However, with your tool a glide_list referencing the group table isn't supported. I assumed that if the fields referenced one of the supported tables I would be good as golden, no?

ben_hollifield · ‎06-27-2017

Hey Brett,

Right - we allowed a limited number of field types and reference tables on the Simple Separation form, simply because it's difficult to account for all possibilities. In the case where you need a specific field type or reference table, it's pretty simple to just configure the Simple Separation rule against an easy field (like Group). Then, customize the query and change the query term in the script to point to the field you need. For something like a glide_list, you'd need to adjust the type of query just a tad. For instance, if you're going directly against a group reference field with a single group as the variable, it would look like:

qc.addQuery('assignment_group', [groupVar]);

If 'assignment_group' became a glide_list, then that query term would change to:

qc.addQuery('assignment_group','CONTAINS',[groupVar]);

The complexity could continue to grow if both 'assignment_group' and [groupVar] are lists of group IDs. You may need to put together a for-loop to iterate through and add query conditions. It all just depends on the fields in question.

Brett14 · ‎07-27-2017

Hi Ben,

I have made great lead way with setting up the record separation with the glide_list field. Above I took your advice and created a loop to determine what groups the users is in when looking at the sc_req_item table. Obviously I am missing something...what i have below is query the group member table and check if the user is in any of the groups in the u_assignment_group_list field on ritm. Users that are not a part of the IT Securities group can still see the Security Requests.

sepRecs();

function sepRecs(){

var groups = new GlideRecord('sys_user_grmember');

groups.addQuery('user', user.sys_id);

groups.query();

var groupString = "";

while(groups.next()){

groupString += groups.group + ",";

}

//Basic data separation query

var qc = current.addQuery('u_assignment_group_list', "IN", groupString);

//Selective application queries

qc.addOrCondition('u_assignment_group_list', 'CONTAINS', '5f6441efc0a8010e0177fcb589156352');//IT Securities Group and i am thinking I can remove this line?

qc.addOrCondition('u_assignment_group_list', '');

}

ben_hollifield · ‎08-11-2017

Hi Brett - My apologies for the latency. My wife and I recently had a newborn enter our home, so lots of things have been put to the side temporarily.

I spoke with your customer, and it sounds like you've made significant progress since this message. Also, I may be able to help you and the customer directly moving forward, if that makes sense. If you're still having issues with this particular use-case, let me know!