Best practice - Setting up HRSD security for Restricted Populations

Chuck Collins
Tera Contributor

Most companies have restricted populations, groups of users for whose cases should only be viewable by a limited number of HR Fulfillers.  For example, maybe the owner of the company, CEO, CFO, would be in a "Executive" restricted population, and all HR associates would be in a "HR" restricted population.

I'm looking for best practice to secure cases for these restricted populations so that only those fulfillers that should see these cases, can see them. 

Use Case:  An senior executive in the company submits a LOA case requesting leave for a sensitive operation. Because the subject person is in the "Executive" restricted population, we would only want a select number of LOA associates to have access to that case; rather a select few that are trained and knowledge about these types of cases.

Is there any best practice information available from ServiceNow that we could leverage in making decisions about how to configure Restricted Populations?

1 ACCEPTED SOLUTION

Hi Chuck,

This is common to create custom roles to achieve these types of use cases. OOB we delivered a Secure Info Reader and Secure Info Writer for these types of use cases. Since you have different conditions that apply to different scenarios, it would be wise to create the custom read and write roles to meet your use cases. Reducing the number of scripted ACLs would be the goal.

Regards,

Mike

View solution in original post

5 REPLIES 5

michaelj_sherid
ServiceNow Employee
ServiceNow Employee

Hi Chuck,


The common practice is to use roles (by way of groups) to restrict access when it involves different groups. I will exclude any ER -specific use cases, but the typical use case will use the Groups to manage that access. For the use cases where the conditions would be dynamic is where you would need to use Scripted Access Control lists. It is best practice to minimize customizations, i.e. the Scripted ACLs, but often the requirement will require this based on the dynamic nature. 

Regards,

Mike

Hi @michaelj.sheridan ,

Can we use the HR Criteria for the HRServices associated for creating the HR Cases , by adding only certain fulfiller groups ?

Is it required to create the table level ACL's for restircting the Read and Write access for the HR agents having Hr Basic role ?

Hi ramamr,

This will not meet this use case since the HR Criteria on HR Services is specific to the Opened by, not the fulfiller group.

Regarding the HR Agents visibility, yes, you would need an ACL to restrict based on the Assigned (fulfiller) group.

Regards,

Mike

Hi again Mike,

My challenge is that within all of our HR business teams there are set of 4 separate restricted populations (RP's) that we'd need to group for.  In addition, if I create different group for each restricted population and at least 1 for non-RP's, that means 5 groups per business team. Multiply that with the number of HR business teams that I need to restrict case creation, read and updates and the magnitude of the problem becomes pretty clear. 🙂

If I go forward with this approach, just using groups and roles in an effort to having to manage all this with ACL's, would I be able to create custom roles for each group so that they can only create, read and update the cases for the RP's that each fulfiller should have access to, based on the group they are in?  Or should I just give up and run with ACL's?

Thanks again,

Chuck