Enabling the High Security Plugin ... what to watch out for
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-18-2012 07:23 AM
My company is considering implementing the High Security Plugin. We've used ServiceNow for quite some time (one of the first 100 I believe) and have, as you would expect, created various groups, roles and ACLs to accommodate a wide variety of processes.
We're experiencing tremendous growth and as such many more departments beyond just IT and HR are starting to (or wanting to) rely on ServiceNow. So, security is becoming more of an issue.
My question to this community is to ask what are some of the things we should look out for? I'm sure several pre-High Security Plugin companies have since implemented the plugin and I would be very interested in listening to any comments regarding their experiences after enabling the plugin.
Any specific pain points? What you might have done differently before/after enabling the plugin?
Any feedback would be greatly appreciated.
Thanks,
Michael
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-24-2017 05:45 AM
yes and this was one reason we did finally activate the high security plugin. We had been told development for future releases would assume all are on High Security. WE tested for 3 months and when we went live we had just a couple of issues, but nothing major.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-24-2017 07:37 AM
During your 3 months of testing were there any major show stoppers that took time to resolve or any lessons learned that you can share?
I dont have 3 months to test
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-24-2017 08:05 AM
Basically we had to run through every scenario in our system. There were over a hundred new ACLs added with High Security. There were some ACL's where a certain roles were applied and we removed the role. Some we completely disabled. Some you have to think from the table level not just the the form level. Here is out list of changes we had to make
| DP - 11-17-16 |
| Change all ACL's for table tm to false excluding the delete. Delete needs to stay true. |
| acl |
| DP - 10-01-16 |
| NEED TO DEACTIVATE THE ACL THAT ALLOWS THEM TO DELETE. |
| sc_req_item DELETE (2) |
| DP - 10-21-16 |
| Issue - Itil could not create Outage |
| FIX - cmdb_ci_outage* acl was not working, I removed the * from the WRITE acl and updated. |
| DP - 10-21-16 |
| Issue: Audit role created and added to some application and modules, and user could not see all Project or Task |
| FIX: on pm_project and pm_project_task READ I added the "audit" role |
| DP - 10-01-16 |
| Issue: instead of having a READ at each level, Scott created a Task READ which covers all. |
| Fix: Deactivated all READ sc_task acl's, and Deactivated the sc_req_item READ (approvers) acl |
| DP - 10-01-16 |
| Issue: Additional Comments on the tasks ESS could not add notes and update |
| FIX: sc_task WRITE remove itil, and sc_req_item WRITE remove itil(itil role required to write to sc_req_item records) |
| DP - 09-16-16 |
| Issue - Ess user could not see the Facilities Request or tasks |
| Fix: ACL facilities_request_task READ had only the facilitiy_read role. I have removed this role. Now they can see their request and tasks for Facilities |
| SS - 10/25/2016 |
| Issue: Users could edit the Approval field on a Request & RITM. |
| Fix: Created "sc_req_item.approval" & "sc_request.approval" write ACL's with admin as the only role. |
| SS - 10/28/2016 |
| Issue: itil users could not see Outages in the related list tab at the bottom of Incidents |
| Fix: Created read ACL on "task_outage" table with itil as the only role |
| SS - 10/26/2016 |
| Issue: Project Managers could not run report "Project Hours without TRM Product" |
| Fix: Created "u_pm_project_time" read ACL with project_manager as the only role |
| SS - 10-13-2016 |
| Issue - ESS user could not see Additional Comments field on Incidents they submitted |
| Fix - Deactivated all Incident "read" ACL's & removed all roles from Incident "write" ACL |
| SS - 10-14-2016 |
| Issue - ITIL user could change the "Active" value in a list view for Project Tasks |
| Fix - Created "List_Edit" ACL on pm_project_task table with role "admin" |
| SS - 10/19/2016 |
| Issue - Non-ITIL users in the approval chain could not see any users in the approvals related list tab in the RITM (Security constrained) |
| Fix - Disabled "sysapproval_approver" read ACL and created a new "sysapproval_approver" read ACL with no roles |
| SS - 10/19/2016 |
| Issue - ESS users could not edit their Incident forms after submitting them |
| Fix: Removed all roles from the Incident "write" ACL. (Also, see line 40, 41 for similar issue and fix (Kim)) |
| SS - 10-13-2016 |
| Issue: ITIL users could not create reports under certain conditions |
| Fix: Created "Read" ACL on the Task table no roles |
| KG |
| KG Sept 2016 |
| Issue - UI Action Request Approval not working |
| Fix: Inactivated change_request.approval ACL |
| Fix: Inactivated change_request.state ACL |
| Fix: Inactivated change_request.u_change_state ACL |
| Fix: Inactivated task.approval ACL |
| Fix: Inactivated task.state ACL |
| Fix: Created Business Rule - BCI - Change Admins can update |
| Fix: Created Client Script - BCI - Change Admins can update |
| KG |
| Issue - Workflow activity not displaying on approval form |
| Fix: added itil to the wf_activity record read ACL |
| KG |
| Issue - ess user (non-itil) could not see created by, due date, short description, workflow activity on approvals list view |
| Fix: Removed ITIL role for change_request record read |
| Fix: Removed role requirements for wf_activity record read |
| KG |
| Issue - ITIL could change fields in list view for Change tasks |
| Fix:Added ACL on change_task for only list_edit for Change Admin role |
| KG |
| Issue - ITIL cannot add closed incidents to a project |
| Fix: Edited ACL on incident for write and removed condition of state not closed and added itil and project_user roles -- This has been changed to no roles |
| KG |
| Issue - project user cannot see incidents associated to a project |
| Fix: Edited Business Rule incident query off incident table and added not role "project_user". ** Already in PROD |
| KG |
| Issue - controlling access for Business Users to SDLC objects |
| Fix: NOTE: added scrum_user, scrum_team_member to DM Business Users group. Updated all SDLC Menu items to include itil where appropriate. |
| SDLC Application - scrum admin, itil, scrum_user |
| Getting Started - itil, scrum_user, scrum_admin |
| Planning - admin, scrum_admin,itil |
| Planning board - admin, scrum_admin, itil |
| Products - admin, scrum_admin, itil |
| My Products - admin, scrum_admin, itil |
| Themes - admin, scrum_admin, itil |
| Open Releases - admin, scrum_admin, itil, scrum_user |
| Open Sprints - admin, scrum_admin, scrum_user, itil |
| Open Epics - admin, scrum_user, scrum_admin, itil |
| Stories - admin, scrum_admin, scrum_user, itil |
| Create New - admin, scrum_admin, itil |
| Open Stories - admin, scrum_admin, itil scrum_user |
| Assigned to me - admin, scurm_admin, scrum_user, itil |
| Tasks - admin, scrum_admin, scrum_user, itil |
| Open tasks - admin, scrum_admin, scrum_user, itil |
| Assigned to me - admin, scrum_admin, scrum_user, itil |
| Enhancements - admin, scrum_admin, scrum_user, itil |
| Create new - admin, scrum_admin, itil |
| Open Enhancements - admin , scrum_user, scrum_admin, itil |
| Assigned to me - admin, scrum_admin, scrum_user, itil |
| Defects - admin, scrum_admin, scrum_user, itil |
| Create New - admin, scrum_admin, itil |
| Open Defects - admin , scrum_admin, scrum_user, itil |
| Assigned to me - admin, scurm_admin, scrum_user, itil |
| Administration - admin |
| Properties - admin |
| KG |
| Issue - unable to read release record |
| Fix - ADDED ITIL to rm_release_scrum table read |
| KG |
| Issue - unable to see products |
| Fix - ADDED ITIL to m2m_product_release table read |
| KG |
| Issue - unable to see stories |
| Fix - ADDED ITIL to rm_story table read |
| KG |
| Issue - unable to see team information |
| Fix - ADDED ITIL to scrum_pp_team table, scrum_pp_team_member, scrum_pp_team_name, scrum_pp_sprint_team_member and scrum_pp_release_team_member table reads |
| KG |
| Issue - unable to see epic information |
| Fix - ADDED ITIL to rm_epic table read |
| KG |
| Issue - unable to see story task information |
| Fix - ADDED ITIL to rm_scrum_task table read |
| KG |
| Issue - project_user group can update too many fields on stories |
| Fix - Removed scrum_story_creator from rm_story table Create ACL. Removed scrum_story_creator from rm_story Delete ACL. Removed scrum_story_creator from rm_story write acl. Removed scrum_story_creator from rm_story Write.* acl. Removed scrum_story_creator from rm_story.opened at write acl. Removed scrum_story_creator from rm_story.opened by write acl. To allow for comments - added scrum_user to rm_story write acl |
| KG |
| Issue - project_user group can update too many fields on scrum task form |
| Fix - Removed scrum_story_creator from rm_scrum_task Create ACL. Removed scrum_story_creator from rm_scrum_task Delete ACL. Removed scrum_story_creator from rm_scrum_task Write ACL. Removed scrum_story_creator from rm_scrum_task .description and .short_description Write ACL. Added scrum_user to table write. Create write ACL for rm_scrum_task for due_date and planned_hours |
| KG |
| Issue - give access to SDLC function |
| Fix - Added scrum_master, scrum_product_owner, scrum_release_planner, scrum_sprint_planner, scrum_story_creator, scrum_team_member and scrum_user to scrum_admin role. Created SDLC Group with scrum_admin role and set this group as parent to IT type groups. |
| KG |
| Issue - team setup |
| Fix - added gs.hasRole('itil') to Create ACL on scrum_pp_team_member, added itil role to Create ACL on scrum_pp_release_team_member, added itil role to Write ACL on scrum_pp_release_team_member, added condition of Role is project_user to Reference Qualifier on Name for team member. ***Must have scrum_admin, scrum_user or project_user view to be displayed for selection |
| KG |
| Issue - Business user could create an Epic |
| Fix - set new role to itil for list control on Open Epics list** In Prod. Open Epics from Navigation area. Not sure if there is another list??? |
| KG |
| Issue - Business user could create an enhancement |
| Fix - set new role to itil for list control on Open Enhancements list** in Prod. Open Enhancements from Navigation area. Nost ure if there is another list?? |
| KG |
| Issue - Business user could create a defect |
| Fix - set new role to itil for list control on Open Defect list** in PROD. Open Defects from Navigation area. No sure if there is another list?? |
| KG |
| Issue - Business user cannot Create idea: |
| Fix - Added project_user and itil to ACL on idea table for Create and Idea.* and Idea.business_case and idea.short_description |
| KG |
| Issue - Demand Manager could delete an idea |
| Fix - removed Demand Manager from Delete ACL for idea table and added admin only |
| KG |
| Issue - idea creator cannot update Idea. |
| Fix - Added script: answer = (current.submitter == gs.getUserID() || gs.hasRole('demand_manager')); and removed all roles to ACL on idea table for Write and Idea.* and Idea.business_case (details) and Idea.short_description |
| KG |
| Issue - Business user unable to see demand listing. |
| Fix - Added project_user, itil to Read ACL on dmn_demand table |
| KG |
| Issue - Business users: Submit demand and delete UI action displayed. |
| Fix to UI Action Submit Demand - set to hasRole('iti') For Delete - two delete one is for if opened_by and the other is only demand_manager. |
| KG |
| Issue - Business users cannot see stakeholders. |
| Fix - added project_user, itil to Read ACL on dmn_stakeholder_register |
| KG |
| Issue - ITIL unable to create demand. |
| Fix - Added itil to Create/Write ACL(s) on dmn_demand table (Just like the instance before) |
| KG |
| Issue - ITIL cannot create stakeholder. |
| Fix - added itil, demand_manager to Create and Write ACL on dmn_stakeholder_register table. Deactivated dmn_stakeholder_register.number ACL |
| KG |
| Issue - ITIL cannot see assessment. |
| Fix - Added hasRole('itil') and hasRole('demand_manager') on script for Read ACL on asmt_metric_category table |
| KG |
| Issue - no new on portfolio for demand manager. |
| Fix - added demand_manager to New roles for List control, Added role to Create and Write ACL on pm_portfolio. Updated New UI Actions removing reference to not list and specific role. |
| KG |
| Issue - ITIL Tester, Demand Manager could not create a requirement off a demand record |
| Fix - Added ITIL to Create ACL on dmn_requirement. Deactivated second one for demand_user. Added ITIL to Read ACL on same table. Deactivated two writes based on condition. Create New WRITE for ITIL |
| KG |
| Issue - Demand Manager could not create a decision record |
| Fix - CREATE ACL for dmn_decision only has demand_manager. Read - added ITIL, WRITE - only has demand_manager |
| KG |
| Issue - ITIL can create new resource plan |
| Fix - set New control to demand_manager for new, removed resource_user from CREATE and WRITE ACL on resource_plan |
| KG |
| Issue - idea comment control not working |
| Fix - created new Write.comments on Idea table for just ITIL WHEN state is less than or is Accepted |
| KG |
| Issue/Defect - could update epic from list view (business user) |
| Fix - Create ACL for list edit on rm_epic and added scrum admin role, changed role on both Write Acl and Write.* and .assigned to and .description and .priority and .short_description and .state to only be scrum admin. Change script to newrecord && scrum_admin role for .product. Removed script and set role to scrum admin on .theme. |
| KG |
| Issue - Submitted by on Idea could be changed |
| Fix - Added two ACLS on the Submitted by field - one for create and one for write |
| KG |
| Issue - Demand Manager can delete assessments |
| Fix - set delete ACL on asmt_metric, asmt_metric_category, and asmt_metric_definition to admin instead of assessment_admin |
| KG |
| Issue - Business Users could not read assessment results |
| Fix - changed script for Read ACL on asmt_category_results by removing script and adding project_user and itil for roles - Was (answer = (new AssessmentUtils()).hasAssessmentRoles(current.metric_type.roles);) |
Seems like a lot but it went very smoothly. |
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2017 01:22 PM
Curious, has ServiceNow specifically told you that future releases will assume the Hi-Security plug-in is installed. I always assumed that day would come but really thought maybe they would communicate it.
Thx in advance.
Sandy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-23-2016 03:22 AM
Hi,
I'll recommend you to have a look at these excellent resources:
"ServiceNow Security Instance Hardening"
https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654
"Security Best Practice Audit" Application at Servicenow Share:
https://share.servicenow.com/app.do#/detailV2/77d60cd213935e004e8cd4a76144b0f3/overview
(copy-paste URL if it doesn't open directly)
BR,
- Jan
