Report View ACL Effects?

chuckn · ‎08-05-2022

We are having an issue that I believe is related to report view ACLs (RVAs), but I can't tell for sure.

We have a user who has been granted a custom role that has report_view access via custom ACLs to asmt_metric_result and asmt_assessment_instance. We can create reports on each of the asmt_metric_result, asmt_assessment_instance, and task tables, and said user can see all relevant data. However, in a report on asmt_metric_result that is grouped by Instance (reference to asmt_assessment_instance) -> Task (reference to task) -> Task Type, the report results are removed due to security constraints:

Has anyone experienced something similar? Any ideas on what's required to address the issue?

Thanks!

chuckn · ‎11-28-2022

Ah, yes...I should have updated the post! We created a Now Support Case. Turns out we needed to create a read ACL for asmt_assessment_instance and ensured the users had the role we added to that ACL (in this case we have a role for RVAs for Assessments). Hope that helps!

-Chuck

View solution in original post

Tim Grindlay · ‎11-28-2022

Great! Thanks for the reply 🙂 was that a read ACL or a report_view ACL? I'm assuming the latter. In our case we're working with CSM. Users with a business_stakeholder role are able to view case data in the native UI but are denied when they attempt to view reports that use certain fields. Trying to stay away from customisation but seems we may not have an option. I've also raised a case with ServiceNow, so we'll see what they come back with.

chuckn · ‎11-29-2022

Actually, it was a read ACL we needed to create. We had already created a report_view ACL for the same table for a custom report view ACL we created for Assessments.

Here's our read ACL:

And here's our report_view ACL:

Thanks!

-Chuck

Tim Grindlay · ‎11-29-2022

Thanks Chuck! Seems this is slightly different in our use case, but I think the solution will be similar. i.e. Creating new report view ACLs. I think the question for us will be around licensing. Effectively we will be bypassing a report_view ACL designed to prevent access without a licensed role.

Tim Grindlay · ‎12-11-2022

To close this down for anyone following this, ServiceNow responded (after a lot of back and forth) with:

"...However, Reporting in entirety became a whole different product and needs some roles and access levels to be accessed.
I was told that customer service is not just the only project this is applicable, for many product umbrellas we have in ServiceNow the same behavior is applicable.

The product itself is not provisioned with all the reporting roles by default. You can configure using the OOB roles or you can create new custom roles."

To me this seems like a gap in the OOTB product. Why wouldn't they update the report_view ACLs to match the access you're providing those users?

Nevertheless, as in Chucks solution we've added additional report_view ACLs for the fields our business stakeholders were not able to report on, and ServiceNow confirmed that it would not impact our licensing.

chuckn · ‎12-13-2022

Thanks for the update, Tim. I concur, especially regarding OOB products and functionality. Perhaps they'll catch up over time? The question we always have is about impacts to licensing, so it's good you got confirmation on that for your use case.