Variables privacy

Giancarlo Perei · ‎07-01-2022

Hi there everyone,

I have a very simple question, and I have tried a few things before such roles "permissions" and this did not work well. Roles [servicenow] will also limit these Variables on the Portal site, which is not good, users will not be able to input data on their request. This is a pretty big deal for my company since there is sensitive data being shared with HR, but not only HR can see it on ServiceNow fulfiller. The variable set is built as "salary_changes" some variables collect salary values and workflows for our HR group Tickets. However, the problem is, when the request is created, other groups on ITSM can see these variables if they search - I am trying to figure out ways to limit these variables to only be seen by HR_ServiceDelivery and HR_ServiceDesk groups or admins.

These are the files that need variables that once it has become a request, the ideal is that no other user ITIL, except the HR groups and Admins, have to be able to visualize it.


number_of_hour_week	Single Line Text	Current working hours "Hours per Week"
current_hourly_rate	Single Line Text	Current "Hourly"
formatter70	Container Split
current_salary_rate	Single Line Text	Current annual "Salary"
new_hourly_rate	Single Line Text	New "Hourly"
new_salary_annual_rate	Single Line Text	New annual "Salary"

Any help would be much appreciated!

Jaspal Singh · ‎07-01-2022

Hi,

So, you man ITIL users are able to are able to report on variables submitted for HR services? Did you check for ACL of type Read on question_answer table?

Giancarlo Perei · ‎07-05-2022

The problem is - not everyone is an ITIL fulfiller, the catalog requests can come to any employee. As I can see, it looks like the ROLEs ACLs are useless. I have created a user_HR role and added it to HR Groups - Went to Variables and apply the role to User_HR, this will hide variables to all roles, even to the User_HR role. I have never seen anything like this - it seems to be buggy. The workflow uses SC_REQ_ITEM. I just need to make the output fields private and only accessible to HR groups after the request is created.

OlaN · ‎07-01-2022

Hi,

Like Jaspal already mentioned, you will need to look at change some Read ACLs. Depending on your use case you will need to look at different tables, if you are working with record producers, then question_answer table is correct, but judging by your question, it sounds like you submit these as Catalog item requests, then you should look at the sc_item_option table.

OOB itil-role has read access on table level on sc_item_option , you will need to change that so that you exclude rights to read these restricted variable options.
Then create a read ACL so that a role that only HR_ServiceDelivery and HR_ServiceDesk member can read these options.
And of course you will need to create an additional read ACL, so that records that belong to the user reporting in values, can read the records they have created.