I need group A to see masked encrypted variables (catalog_view_masked role) on offering A, but not offering B

Go to solution
krystaberry
Tera Contributor

‎08-03-2022 09:38 AM

I have a requirement to allow personal information to be collected from users on various catalog offerings.  This information should only be visible to specific groups of ITIL roled users depending on the offering.  To make this happen, I have used masked encrypted variables for the data.  This is working.  The problem is that I have to give any user, needing to see the variable response, the catalog_view_masked role and that allows them to see any masked encrypted field on any offering.  I need group A to be able to view the masked encrypted variable for offering A and not offering B, while at the same time allow group B to be able to view the masked encrypted variable for offering B and not offering A.

Any ideas?  I have tried recreating the catalog_view_masked role as catalog_view_masked2 and assigned it to the B group, but the A group can still see the B group's field data, while the B group cannot see the A or B group's field data.

Thank you in advance.

Krysta

0 Helpfuls
  • 2,650 Views
1 ACCEPTED SOLUTION

Go to solution
ServiceNow Tec2
Mega Sage

‎08-18-2022 08:48 AM

This has been resolved by ServiceNow Technical Support. Please refer to KB0584327 for more information.

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
ServiceNow Tec2
Mega Sage

‎08-18-2022 08:48 AM

This has been resolved by ServiceNow Technical Support. Please refer to KB0584327 for more information.
0 Helpfuls

Go to solution
Chad Hall
Giga Guru
In response to -Brian-Arndt

‎02-03-2023 10:15 AM

Has anyone been able to access this KB article? I'm not sure how the post above was marked as an accepted solution if people can't actually see the article. 

Go to solution
Chad Hall
Giga Guru
In response to -Brian-Arndt

‎04-11-2023 06:46 AM

I was never able to get to the KB article but I found my own way to secure this.

  1. Create a custom role (e.g. masked_var_xyz).
  2. Make sure the custom role contains the catalog_view_masked role.
  3. Create a masked variable.
  4. Enable encryption option on the variable if you really want it to be secured with no backdoors.
  5. Add the custom role to the Read roles and Write roles fields on the variable.

In this way only members of the custom role will be allowed to even see the variable. Since those users inherit the catalog_view_masked role they will also be able to decrypt the variable value.