How to secure incidents/requests based off classification

dcole1775
Kilo Contributor

We are looking to expand our use of SNOW to more teams in our Business. Is there a way to put security around specific classifications so only the team assigned (and admins) can see them? I know there is a way to do that across the board, but we would prefer not to do so. Or at least so that team is the only one who can see attachments for those requests? We are trying to limit the risk of private information being available for all to see. If there are other options that would work, I would be interested in hearing those too. Any help would be appreciated.

 

Thank you.

1 REPLY 1

Tony Chatfield1
Kilo Patron

Hi, you can disable or customize the OOB ACL's to remove existing access and create your own to replace them, but you will need some sort of defined relationship between the user and the record; IE if you want to filter by 'classification' then the classification would need a (direct or indirect) relationship to the user record. This might be as simple as building a relationship between assignment group and classification.
Once you have your relationship defined then you would use table level ACL's to evaluate the logged on users relationship to the current record. Note there is an increased platform overhead using scripts to evaluate ALC's and where possible I would recommend using table level ACL's only for this, keeping any table.* or table.field ACL's as generic\role based as possible - if you cannot see the record then you cannot see the data in the record regardless of any underpinning field or wild card ACL's.

 

For sys_attachment you would script a lookup\check of the underpinning task\record via the table name and table sys_id fields, and then evaluate the users relationship to the related task in the same way you would evaluate it directly from the task.