How can I provide access to the top-level domain and restrict access to specific child domains?

Go to solution
jamie_girouard
Giga Expert

‎06-19-2014 12:56 PM

I am hoping someone can help with this dilemma - if it even is one.   I'm relatively new to domain separation so I'm fumbling through this a bit.

 

Right now, we have a domain structure that looks something like this:

 

TOP

|

TOP/MSP (where MSP has access all data in TOP and all customer domains)

|

TOP/MSP/CUSTOMER1   TOP/MSP/CUSTOMER2 TOP/MSP/CUSTOMER3

 

We have some users that need to be able to see data in TOP/MSP, TOP/MSP/CUSTOMER1 and TOP/MSP/CUSTOMER2 - but not TOP/MSP/CUSTOMER3.

 

Would I be able to do achieve this restriction through the use of another third-level domain (for example, TOP/MSP/TECHNICIAN) that had visibility into TOP/MSP, TOP/MSP/CUSTOMER1 and TOP/MSP/CUSTOMER2, but not TOP/MSP/CUSTOMER3?  

 

And if so, would I be able to use that even for a user that needed admin rights to do development, even on things that are global?

0 Helpfuls
  • 4,170 Views
1 ACCEPTED SOLUTION

Go to solution
jamie_girouard
Giga Expert
In response to jamie_girouard

‎07-16-2014 03:43 PM

After some assistance from a helpful chap at ServiceNow, I have an answer to my dilemma:



  • I created a group that would contain all of the users whom I need to limit access for.
  • I created an access control rule for all tables that would check to see if the user was in the "limited access" group and the sys_domain of the record for the domain that needed this restriction.


if (current.sys_domain == {your sys_id} && gs.getUser().isMemberOf({your limiting group sys_id})){ answer = false; } else { answer = true; }



  • If you need to apply this to admins, you need to make sure the "admin override" option is unchecked.
  • I did have to create a similar, but separate access control role for the sys_user table - not sure why, may be specific to my instance.  

View solution in original post

9 REPLIES 9

Go to solution
jamie_girouard
Giga Expert
In response to solutioningnow

‎06-19-2014 03:45 PM

But I'm not sure this helps if the user has access to the global domain.   If they were to run an incident query while in the global domain, for example, they'd have the ability to see records from TOP/MSP/CUSTOMER3.



This will help some of my use cases, but perhaps not the use case where I have a developer that - for whatever reason - isn't allowed to see data from certain customers.


0 Helpfuls

Go to solution
solutioningnow
Giga Guru
In response to jamie_girouard

‎06-20-2014 12:24 AM

Hi,



If user is having access to Global domain, they have full access. I would suggest restrict access to Global Domain. That means allow "Global" to only few users who will have all access.


0 Helpfuls

Go to solution
jamie_girouard
Giga Expert

‎06-22-2014 11:14 AM

So let me post my question a different way:



We have a domain separated instance.   I have a resource who I'd like to be able to perform development activities (client scripts, script includes, etc.)but will also be restricted from viewing data in certain domains.   Ideally, I'd like this person to have the admin role, but have that role restricted from viewing data in certain domains.



I'm not sure I can just restrict the user from being able to access the global or top-level domain, because if I do, how can they develop anything that spans all domains?  



Of course, if I give them access to the global and/or top-level domain, they're going to be able to see data in all domains if they pull up the user, company or CI tables - regardless of whether I remove those domains from the domain picker or not.



So do I have any options here that don't involve a ton of scripting?


0 Helpfuls

Go to solution
jamie_girouard
Giga Expert

‎07-14-2014 06:53 PM

I'm going to try to re-ask this question...



I have this domain separation hierarchy set up



TOP


|


TOP/MSP (which has access to TOP)


|


TOP/MSP/CUSTOMERX


TOP/MSP/CUSTOMERY


TOP/MSP/CUSTOMERZ



We have records created for TOP/MSP as well as TOP/MSP/CUSTOMERX, TOP/MSP/CUSTOMERY, TOP/MSP/CUSTOMERZ.



I will have users that CANNOT have access to records for TOP/MSP/CUSTOMERZ, but can have access to records in TOP/MSP, TOP/MSP/CUSTOMERX and TOP/MSP/CUSTOMERY.  



How do I accomplish this in domain separation, using Calgary?   Right now, when I try to create a new domain called TOP/MSP/TECHNICIAN, I can set up the contains domains so that it will only allow access to CUSTOMERX and CUSTOMERY, but when I try to add TOP/MSP to the mix, I'm hosed.   What are my options here?


0 Helpfuls

Go to solution
jamie_girouard
Giga Expert
In response to jamie_girouard

‎07-16-2014 03:43 PM

After some assistance from a helpful chap at ServiceNow, I have an answer to my dilemma:



  • I created a group that would contain all of the users whom I need to limit access for.
  • I created an access control rule for all tables that would check to see if the user was in the "limited access" group and the sys_domain of the record for the domain that needed this restriction.


if (current.sys_domain == {your sys_id} && gs.getUser().isMemberOf({your limiting group sys_id})){ answer = false; } else { answer = true; }



  • If you need to apply this to admins, you need to make sure the "admin override" option is unchecked.
  • I did have to create a similar, but separate access control role for the sys_user table - not sure why, may be specific to my instance.