Roles, Groups, Permissions and Changing Views

Vlad_Rozic · ‎08-07-2013

Hey all.

We are looking to implement a more refined approach to handling our various users and their access rights / views.

Our company has several locations worldwide. What we'd like to accomplish is to have each location have their own tasks, incidents, requests all filtered for that location. So if I have a user in Berlin, he or she will have a specific view within service now that is specific to that location, and that user will only see information that is particular to that location. We wish to segregate it so that users who are working in service now are only dealing with tasks that are related to their office, rather than seeing tickets and tasks from all other offices.

At the same time we wish to make it so that users have certain limitations to make changes.. so provide read only rights over certain things (such as already created tickets), as well as what sections of Service Now they are provided and not provided.

Now, I have read about the different areas that would need to be used (modules, roles, groups, users) and it seems to me that the best way to achieve this type of structure is by basing it off of the user's location. We have made steps in our instance so that every something is created (task, item request etc) the user who is requesting has their location autopopulated in the form.

But that being said, how can we make each location only see data that is related to them? Do we need to setup new roles? Would they need to be split up, so say for IT, we'd have an IT role for each location, and likewise for any other department.. HR, Facilities, TechOps, etc. Also, would new modules need to be created to tell tickets to only display for users based on their location?

What I'm looking for is a bit of discussion as to how we could achieve this type of a setup and what kind of approach would be best. Again, I think I understand how it should work, but as there are so many ways to get there with Service Now, what would be the most effective, least time consuming, and most scalable - for this, I highly regard the word of the experts..

I appreciate any suggestions that you all may have and look forward to hearing them!!

PeterWiles · ‎08-08-2013

As you said, SN provides numerous ways to achieve the same goal.

I would create a Business Rule to run on a before query adding in something like:




if(!gs.hasRole("admin"))
     current.addQuery('location', gs.getUser().getLocation() );

Add this to the able you want to filter by location. If you are not an admin, it will filter the tables "location" field to the users location.

Do you have people working across multiple locations? you could set up a group/role, add the required users and do the above query on the group/role instead.

Hope that helps. I am sure others may have a different way of doing things.

Vlad_Rozic · ‎08-20-2013

Hi Peter

so after having a couple meetings with a service now senior admin, we've been advised that to accomplish what we're aiming for, it would be best to set it up with grouping and business rules based on a user location, as you had suggested.

The only problem now that I'm having is where to start! For users within SN, their location is present in their user record, so this should all work once implemented, but I'm not sure how to go about even starting to get this going.

Do I create new groups and then add users based on user location to said groups? Or do I create business rules? I have not yet created a single business rule in Service now so I'm diving into this as green as could be. Even the code you placed above Peter, I don't even know where to place it lol

My brain is telling me that I need to create new groups and then add users to those groups based on their role and location.. so for example, here in Vancouver, I'd place myself into a Vancouver_IT Group. Then for HR, I'd place the HR users within a Vancouver_HR group. Then from there, I'd assign the necessary roles needed, or create new ones. Then after segmenting all this based on the user and their location and role, we could add these business rules so that they would only see items based on the location?

Also, to answer your question above Peter, yes, we have multiple locations (studios) and what we are looking to do is isolate tickets and tasks that belong to each location so that users there, whether they be working in HR, IT, Facilities departments, will only see the necessary tickets, requests, tasks that they need to.

Appreciate any words of advice as to how I should approach this task?.. even a small list of order of importance or steps would be hugely helpful to me!!!!

Thanks 🙂

PeterWiles · ‎08-08-2013

Another way would be domain separation but this would depend on your org structure and what you want to do going forward.
http://wiki.servicenow.com/index.php?title=Domain_Separation

Vlad_Rozic · ‎08-09-2013

Thanks for your input Peter!

The domain breakdown seems like it may work for a true segregation of offices, but seems flexible in that you can provide users the ability to see tickets belonging to the primary domain, or can limit this as well.

I am going to look further into this.. thanks for the link also 🙂