Acls on m2m tables and control attestations

rajeeshraj
Tera Guru

‎05-31-2022 08:44 AM

We have "read" Acls on the GRC tables like risk, control table based on a field and a role. Only users with a specific role and the flag set to true will have read access to risks, controls, control objectives, risk statements, entity types, entities etc.

But what we have noticed is users without this role can go to reports like pie charts and drill down and see

1) m2m2 records, like Control objectives to control, risk statements to risks etc

2) control attestations and the responses

How can these records be locked down? Can this be achieved by the new functionality "User group-based access on the GRC tables" introduced in San Diego?

Thanks

0 Helpfuls
  • 1,020 Views
2 REPLIES 2

sachin_namjoshi
Kilo Patron
Kilo Patron

‎05-31-2022 08:47 AM

You can configure report_on acls to control access to running reports based on conditions.

 

https://docs.servicenow.com/en-US/bundle/sandiego-now-intelligence/page/use/reporting/task/t_RestrictRepCreationWAnACLRule.html

 

Regards,

Sachin

rajeeshraj
Tera Guru

‎05-31-2022 09:39 AM

"report_on" acl prevents the tables from being reported on. We have a lot of out of box reports and the "report_view" acls is granted to any one with "sn_grc.reader" role.

Second issue we have noticed is user can get to control or risk that is blocked by acl, they are not able to see the actual record but the related recorda are visible (m2m tables)