How to restrict users access to certain records in pa tables

Henk5 · ‎05-08-2018

Working on an instance that is used to provide services to multiple customer. These customers are actually each others competitors, so worst thing we can do is show them information about each other.

We've put ACL's and Business rule Queries on all task related tables, cmdb, location, user etc. So when showing a user a list or report or dashboards we can rely on the security we put in place. All of these are based on the company field which is in available on most of these tables.

So far the introduction, now the new challenge!

We want to give our customers direct access to some of PA dashboards we created. It's possible to give them the right overview by using groups, breakdowns or conditions etc. But by giving them pa_viewer rights they get access to the underlying tables. So it's a bit of security by obscurity, they can have access the data if they know how to, not because there are restrictions. https://xxxx.service-now.com/pa_snapshots_list.do would give them all the raw data.

Any had the same challenge? And what would be a good way to put a security layer around the different PA tables? Obviously the PA tables will not have a company field, I don't think it's wise to add it, many scores/targets/snapshots/ score notes etc aren't related to companies but other dimensions. Anyone thought of a good way to do this?

Ulrich Jugl · ‎05-09-2018

You don't give pa_viewer to the users to see PA widgets. You can add the widgets to a breakdown dashboard and create Element Security on the Company Breakdown Source (so that people will only see their company, and all your employees se all companies). What you will need to prevent is that people can drill into the detailed scorecard, as from here people will have access to the complete scorecard and can e.g. go up to the main indicator.

View solution in original post

Adam Stout · ‎05-09-2018

Where are the ACLs? Did you add ACLs to the pa_scores table directly? ACLs on the source tables are not in play with PA until you get to the records tab.

Ulrich Jugl · ‎05-09-2018

You don't give pa_viewer to the users to see PA widgets. You can add the widgets to a breakdown dashboard and create Element Security on the Company Breakdown Source (so that people will only see their company, and all your employees se all companies). What you will need to prevent is that people can drill into the detailed scorecard, as from here people will have access to the complete scorecard and can e.g. go up to the main indicator.

Adam Stout · ‎05-09-2018

Element security with the "Show blank option" unchecked should prevent the access to the global number (but be sure to set this for all the breakdowns). Not giving the limited users pa_viewer is the ideal option if they don't need it.

Henk5 · ‎05-13-2018

Ok, so I assumed users need pa_viewer to view PA widgets. Guess we've all experencied that assumption is the mother of....

Tried a few widgets and yes, they can be seen without the pa_viewer role :-). I'll probably run into some limitations, but this seems to be the way forward.