- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-09-2024 04:50 AM
Hi.
We are building reports off the interaction table which by default doesn't have any ACL allowing regular business stakeholders to read it, it differs from the sn_request_read and sn_incident_read which are present on the request and incident related tables. We believe this is because interactions/chats could also be related to non-it and therefore the read ACL was not implemented by ServiceNow.
Now to the question, since we use data from the interaction table in reports which show for example the number of interactions related to other dimensions i'm wondering if it would be possible to create a "harmless" ACL entry which would only allow the aggregate to get calculated but would reject any drill-down attempt, ideally we should be able to only allow read on sys_id and opened_for for example and not have to expose anything else and still be able to do the aggregation.
Anyone done any exploring on the topic?
Solved! Go to Solution.
- Labels:
-
Washington
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-09-2024 08:11 AM - edited ‎08-09-2024 08:13 AM
Did a little testing to see if I could get it working, and a small adjustment is needed on my original thought.
You will need to lock down each and every field on the interaction table that you wish to hide from the business stakeholder role, you cannot put a interaction.* report view ACL, that will eliminate for the stakeholders to be able to view the reports entirely.
You will have to create read ACL onthe fields that should be restricted from the business stakeholders.
My best advice, try first in a PDI, then when you have got it working as expected, implement in a sub prod instance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-09-2024 05:00 AM
Hi,
Not that I have tried, but I guess it could be done by having an ACL that grants report_view action on interaction.* only to fulfillers (such as ITIL users) and then grant a report_view ACL on interaction.NONE to the business stakeholders.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-09-2024 05:12 AM
Thanks for the quick reply Ola, by default itil already has access to the interaction table but we'd want the business stakeholders to be able to view the interaction aggregates of the report without having permission to read the related chats for example. Would your example still apply? to me it sounds like it would block out business stakeholders and allow fulfillers full access to read reports on any column.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-09-2024 08:11 AM - edited ‎08-09-2024 08:13 AM
Did a little testing to see if I could get it working, and a small adjustment is needed on my original thought.
You will need to lock down each and every field on the interaction table that you wish to hide from the business stakeholder role, you cannot put a interaction.* report view ACL, that will eliminate for the stakeholders to be able to view the reports entirely.
You will have to create read ACL onthe fields that should be restricted from the business stakeholders.
My best advice, try first in a PDI, then when you have got it working as expected, implement in a sub prod instance.
