determine if other user can read record - domainification

pawel_staszewsk · ‎01-09-2018

Hi.

I have domain separated environment for MSP.

MSP analysts may access dedicated customers, not all.

Groups however are global, so e.g. "Desktop" group may have Analyst-A that works for UK customers and Analyst-B that works only with US customers.

(In reality much more complicated).

I would like to allow team leads manage ticket queues and assign a ticket to an analyst.

The problem is that Team Lead must not be aware if Analyst-X has access to this customer record or not.

Managing security groups with access to a single domain would be an option; I could just check if userid is member of the group, but for large amount of customers maintaining all that groups could be a significant effort, so I am looking for a way to check this by the system script.

In short:

canRead() - determines if logged user can read current record

I am looking for :

canRead(userid) - determines if userid can read current record

canRead(userid, table, sys_id) - determines if userid can read sys_id record in a table

Does anyone know an API or a technique that may support this request?

Thanks,

Pawel.

Tony Chatfield1 · ‎10-29-2018

Hi,

It would be an unusual environment where a team leader does not have visibility of his\her reports and the domains\clients\data that they have access too\are supporting.

Given your scenario the team leader can never be 100% aware of the work their team users are undertaking and so cannot validate actions, provide support or peer review.

It would also be a little difficult for team-leads to assign tasks to a resource without knowing if the resource has access to the client; Even if a ref qual was used on the assignee field to control selection availability, the team lead immediately knows which domains the user can see simply because the user is available for assignee selection.

I can’t see how this makes logical business sense, either as an operational scenario or as a value added solution.

Perhaps I have misunderstood, could you share the business case? It seems intriguing.

Tony

pawel_staszewsk · ‎10-30-2018

Hi Tony.

Apparently ref qual does not consider visibility groups in Istanbul.

In our environment group is global. E.g. "Network" and all network engineers are in this group.

All engineers have visibility groups to access customer data.

Having a ticket for customer A and the group "Network" assigned, Team Lead who has access to this customer may pick any member of the group, ref qual does list members but does not consider visibility group of these members to determine if a member will have access to this ticket.

I already have fixed this by checking domain path and visibility group with onChange Client Script, and I could write custom ref qual for this too, but ideally would be to have a function canRead() that will consider ACL and domain visibility. Fixing this only for 'assigned_to' is not really a solution because for example may need to check data access of potential user to avoid sending an email with data which user has no access or avoiding adding the user to watch list not speaking about scripted and table REST API.

There is long list of functionality in Service Now, and even longer when you create your own applications, that need to be secured and having canRead() that includes domain checking, not only ACL would be good.

As I wrote, I have fixed this implementing custom canRead() and it works as good as we could test it, but I am pretty sure it is far from what system does - it is just what we need.

Thanks,

Pawel.

Cyprien Verdele · ‎10-30-2018

Hi,

I have the same sort of requirements, instead of assignment it's for a "Account Watchlist".

We have a global Company Watchlist, notified for all incident created.

However I have to rewrite all control to ensure the users I want to notify for this company have access to this record by ACL and domain;

which is not so efficient. I was looking for the same :

canRead(userid) - determines if userid can read current record
canRead(userid, table, sys_id) - determines if userid can read sys_id record in a table

But no luck so far, i tried some test with GlideSecurityManager.setUser() but it only check my session access right even after.

sonikumari · ‎09-03-2021

Did you got any solution for this issue?