Overview
Have you ever wondered how could you get a summary of the access a given user/group/role has on your instance resources? You may be thinking the "Debug Security" option but that's way too granular and it doesn't allow to test certain elements. Because of this, ServiceNow have released an application called "Access Analyzer" we will be having a look at here.
Installing the plugin
This plugin is called "Access Analyzer" and its app id is "sn_access_analyzer". It is available in Vancouver and it is for free.
Once installed, you can type "Access analyzer" in the left-hand side menu and you will get two options:
"Analyze Permissions", allow you to check a new criteria, whereas "Access Analyzer Queries" allows you to re-run previously queried criteria. Let's see what happens if we click on the first option.
Specifying a criteria
Once we click in there we will be presented with this form:
Let's break it down field by field.
The field "Analyze by" offers the following options: "User", "Group" or "Role", so that we can specify whether we want to test the access of a given "User", "Group" or "Role".
If "User" is selected then the field close to it will read "Select user", but it will read "Select group" or "Select role" if the other two options are selected.
Then the "Rule type" field offers the following options:
- "Table (Record)" if what we want is to analyse access to a given table
- "Client callable script include", to check whether an AJAX script can be accessed
- "UI Page"
- "REST endpoints". This is quite useful to test integration accounts
If "Table" is selected, we then need to select the table. We can also select a specific record we want to test it with and even a specific field in case we want to check access to a given field instead of the table or record.
If "Client Callable script include" is selected then we are only offered another field called "Select script include".
If "UI page" is selected then we are only offered another field called "UI Page" where we must select the page we want to analyse.
If "REST endpoint" is selected we will be offered to po populate two new fields. One is the "REST endpoint" we want to test, and also the "REST endpoint method" to define whether it is a "GET", "POST", "PUT", "PATCH", "Delete".
Finally, there's a "Description" field which we should populate with a sensible description of what we are testing, since we could want to test it again in the future. If so, we will be able to recognise the check and run it again without having to enter all parameters again.
Once we click on "Analyze permissions" we will be presented with the results. In the screen shot below we can see "Procurement" can read and write on Requested Items, but cannot perform any other action such as creating them or deleting them.
Previously searched criteria
To re-run a previously searched criteria, we can either go to the criteria builder and look just under it or we can access the second left-hand side menu option called "Access Analyzer Queries" which will present you with them directly. By clicking on their hyperlink you will re-run it again.
If this blog article was useful to you, please click on “Helpful” and share it!
1 Comment
