The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Public/Published Reports, how to unpublish several in one action

Christian_
Tera Guru

on ‎10-16-2020 03:47 AM

This Article will cover published reports.
How to identify the amount of published reports within a instance and how to unpublish several of these in one action.

Background and Use Case

When working with reports in ServiceNow, users with roles: report_publisher, report_user, report_admin or admin have the possibility to Publish a Report.
The Report can then be accessible to anyone regardless if that individual has an account on the instance or not.
(Some limitations, where ACLs govern the content of list reports and Business Rules that could affect data available in a public report. Could read more regarding this here)

If you have one of the roles mentioned initially you will se the following option on a report:

find_real_file.png

 

When the report is published its available with a URL.
The URL for accessing a published report will look similar to this :
https://<Instance_Name>.service-now.com/sys_report_display.do?sysparm_report_id=<SYS_ID>

 

To unpublish a report you need to access the same menu as for publishing and select Unpublish.
If you try to access the URL for a reports that’s no longer available public, the following message will be shown in the browser:

find_real_file.png

This functionality could be very convenient but also increases the amount of awareness needed regarding what information that is available to the public.
(Ref. "The probability of someone randomly accessing this URL is thus infinitesimally small, however, this can, in in no way, provide any actual security for preventing access to the report.")

What to consider here:
• Do the reports contain in some way sensitive information, which should not be available via a URL open on the internet?
• Should the reports instead be limited to a specific set of users, personas or groups?
• Could the content be damaging to my organization if it came at the hands of a competitor?

A note taken from the Product Documentation that I think is worth mentioning in this context is this one:
"To make a report available only to logged in users, set its Sharing setting to Everyone, but do not publish it."

Unfortunately, it may also be the case that the person who published the report is not aware that the report becomes "public" when using this functionality. Or that you simply have a different relationship to the term Publish regarding work in Knowledge Management and therefor oversees its function for a report.

 


Identify affected Reports

To identify the published reports within your instance you could view and filter on the Reports table (sys_report) as shown below.

find_real_file.png

find_real_file.png

There Is a published field on the report that will give you an indicator for which reports that are published, but it’s the role Public that grant access to the report for everyone outside of ServiceNow.

When a report is set to published the public role is added to the report, a Business Rule (Report roles updated - is_publish field), will detect the public role and set the is_published field to true for this report.

 

Unpublish multiple Reports

As mentioned earlier, the steps to unpublish reports is limited to one. And there is no functionality in the UI as for example an OOTB UI Action to unpublish several report at once.
Should you have a need to address a larger number of reports that are publicly available, this can be done with a script, executed either as a Background Script or a Fix Script.

Scripts – Background
Fix scripts

Always be careful when executing scripts and test them in a non-production environment before running it in prod to ensure the expected results.


The following script does a query against the sys_report table for all reports that is published (is published field is set to true).
For every record matching this query, the public role is removed.
OOTB Business Rule "Report roles updated - is_publish field" will handle the update for the is_published field.

var report = new GlideRecord('sys_report');
report.addQuery('is_published', true);
report.query();
 
while(report.next()){
var roles = report.getValue('roles').toString().
replace('public,','').
replace('public','');
report.setValue('roles', roles);
report.update();
}

 

Related Documentation and Reference material

See the following links for additional information related to this topics:
Published Reports and Data Security
How to Publish or Unpublish a Report (Report Builder Interface)
How to Publish or Unpublish a Report (Report Designer Interface)

Preview file
6 KB
Preview file
4 KB
Preview file
18 KB
Preview file
6 KB
Preview file
23 KB
Preview file
18 KB
Preview file
4 KB
Preview file
9 KB
  • 4,634 Views
Comments
Jon23
Mega Sage
‎10-25-2021 03:55 PM

Related reference material for 'Publish Reports and Data Security' returns the following:

find_real_file.png

 

Jon
Tera Contributor
‎09-21-2022 01:33 AM

Thank you, this was very useful 👍

The only reports left are created by System Administrator and I am not able to change them with fix script.

Ref. This item is read-only based on its protection policy.

0 Helpfuls
Christian_
Tera Guru
‎03-16-2023 01:16 AM

If there is a need to deactivate the Publish functionality, this property should be set to false: glide.report.published_reports.enabled.

Product Documentation Enforce security on reports

Version history
Last update:
‎10-16-2020 03:47 AM
Updated by: