Restrict report content via ACL?

Go to solution
Vespertinus
Tera Expert

‎01-29-2018 08:27 AM

I have a custom table i want to report on. I have created a simple "read" ACL filtering the data for some users (enduser) to only see their own data and an ACL for management to see all data.

I also created a report with a graph on an unfiltered report source.

I want now the report to only show the "filtered" graph, but i figured out if i share report to enduser he can see the complete graph even he is not allowed to see the records? Is this default behaviour? How to achieve this on ACL basis only?

Thx and br

Vesp

Labels:
0 Helpfuls
  • 2,316 Views
1 ACCEPTED SOLUTION

Go to solution
Adam Stout
ServiceNow Employee
ServiceNow Employee

‎01-29-2018 08:33 AM

ACLs do not restrict aggregates.   If you want that restricted, you can do so with a dynamic filter in the report (e.g., Caller is (dynamic) Me).



If you want to ensure that users do not create reports on this at all with the aggregate data that is not theirs.   Look at a before query rule that removes that data from the query. I think the sample in the docs should get you close:   Default before-query business rule


View solution in original post

2 REPLIES 2

Go to solution
Adam Stout
ServiceNow Employee
ServiceNow Employee

‎01-29-2018 08:33 AM

ACLs do not restrict aggregates.   If you want that restricted, you can do so with a dynamic filter in the report (e.g., Caller is (dynamic) Me).



If you want to ensure that users do not create reports on this at all with the aggregate data that is not theirs.   Look at a before query rule that removes that data from the query. I think the sample in the docs should get you close:   Default before-query business rule


Go to solution
Vespertinus
Tera Expert
In response to Adam Stout

‎01-29-2018 10:07 AM

Hello Adam, thanks a lot for fast reply and explanation.



Actually in my eyes this involves several risks and should be highlighted to everyone who wants to introduce reporting module and plans to use it / offer it to users.


A basic read ACL (answer = false) should prevent user from seeing the data. I even added a row ACL to prevent explicit read rights of a field, but value is then simply shown in report via mouseover, in addition the tables are in a scoped app and i disabled read access for any other scopes, but report does not care and shows all data . (to be honest, i am a little scared about that fact that simple report bypasses all securtiy mechanisms of ACL, even data is "only" aggregated, simple sum-aggregates directly show data value in report e.g.).



But good news, of course a dynamic filter (report source) helps, but before-query business rule exactly realizes my requirement as you proposed.



Thx and br


Vesp


0 Helpfuls