Why does ServiceNow Health check say not to publish reports

Ed Shooshanian
Tera Expert

‎07-19-2023 08:02 AM

My company has received a recommendation from ServiceNow not to use Published Reports to share with a broad audience.  Is this a correct security concern?  If so, what is the appropriate workaround to allow viewing but not allow editing.  I've shared with Everyone in the past but that has it's own issues.

0 Helpfuls
  • 634 Views
3 REPLIES 3

jMarshal
Mega Sage
Mega Sage

‎07-19-2023 08:17 AM - edited ‎07-19-2023 08:19 AM

"Publishing" is a bit of a "specific term" in the context of ServiceNow reporting...publishing a report will make that report available to the entire internet. No authentication required on your instance to view - if you have the link or can scrape for it, you can access the data. Sharing a report with "everyone in your organization" will still require someone to have access to the instance to view, they just won't need any role or other criteria.

You can use Report View Access Controls to allow people to be able to view table data on reports, without access to the back-end table generating the report itself: Report execution security (servicenow.com)

0 Helpfuls

Ed Shooshanian
Tera Expert
In response to jMarshal

‎07-19-2023 08:35 AM

So I read your response as ServiceNow has provided a simple value "Publish" as a method of sharing a report with the entire internet instead of users with access to the specific instance.  That seems to be a very poor design by ServiceNow.  I am not concerned about users with access to tables, I simply want to share a report with all users with backend ServiceNow access without allowing them access to the report itself.  This is exactly what Publishing seemed to allow...I just didn't realize it was publishing to the world.  Seems like something that could be fixed by ServiceNow in a way similar to how PA dashboards can be shared with the ITIL role or to PA_Viewer role.  This can provide view access to all users with backend access.

0 Helpfuls

jMarshal
Mega Sage
Mega Sage
In response to Ed Shooshanian

‎07-19-2023 09:38 AM - edited ‎07-19-2023 09:38 AM

You are correct with your understanding of my post -- the entire internet...and I agree, very unintuitive that a "published" report would provide that kind of access, in my opinion that feature should have a different name/configuration that makes it more obvious as to what is happening.

In your case, you'll just want to "share with everyone" and it will be available in their "my reports" section of the instance.


0 Helpfuls