How to restrict users access to certain records in pa tables

Henk5 · ‎05-08-2018

Working on an instance that is used to provide services to multiple customer. These customers are actually each others competitors, so worst thing we can do is show them information about each other.

We've put ACL's and Business rule Queries on all task related tables, cmdb, location, user etc. So when showing a user a list or report or dashboards we can rely on the security we put in place. All of these are based on the company field which is in available on most of these tables.

So far the introduction, now the new challenge!

We want to give our customers direct access to some of PA dashboards we created. It's possible to give them the right overview by using groups, breakdowns or conditions etc. But by giving them pa_viewer rights they get access to the underlying tables. So it's a bit of security by obscurity, they can have access the data if they know how to, not because there are restrictions. https://xxxx.service-now.com/pa_snapshots_list.do would give them all the raw data.

Any had the same challenge? And what would be a good way to put a security layer around the different PA tables? Obviously the PA tables will not have a company field, I don't think it's wise to add it, many scores/targets/snapshots/ score notes etc aren't related to companies but other dimensions. Anyone thought of a good way to do this?

Ulrich Jugl · ‎05-09-2018

You don't give pa_viewer to the users to see PA widgets. You can add the widgets to a breakdown dashboard and create Element Security on the Company Breakdown Source (so that people will only see their company, and all your employees se all companies). What you will need to prevent is that people can drill into the detailed scorecard, as from here people will have access to the complete scorecard and can e.g. go up to the main indicator.

View solution in original post

sergiu_panaite · ‎05-08-2018

Have you thought about using domains if you want to separate data for different customers? PA supports domain separation:

https://docs.servicenow.com/bundle/istanbul-performance-analytics-and-reporting/page/use/performance-analytics/concept/pa-domain-separation-msp.html

Henk5 · ‎05-08-2018

Domain separation is probably the best way to do this. But I was hoping somebody had thought of a more lightweight solution. Adding domain separation to our instance and get it all the work will be quite an effort.

Adam Stout · ‎05-08-2018

Domain Separation may be something you want to look at for security across the instance, but just for PA, take a look at Element Security. That would allow you to meet the needs of who can see what. If you are at Knowledge, we have an exercise on this in PA 301 on Wednesday.

Henk5 · ‎05-09-2018

Thanks guys, really helpful pointers. I'll have a look at element security as well, first glance it will help block access to the pa_breakdowns table, there is a nice script on the ACL for that table. But it looks as if users with pa_viewer role will still have full access to the pa_snapshots table.

I'll do some more investigating.

Not in Vegas this year I'm afraid.