When we asked our customers about how we can improve identity and access management on the platform, one theme was clear. “It’s difficult to understand why someone can or cannot access to resources; I need better visibility on who has access and to what.” We learned while this primarily applied to resolving access related incidents (a security risk or a productivity blocker), it also applied to testing new access controls for apps and efforts related to managing data integrity and access. We also learned that while we have native ACL debugging tools their usefulness was limited due to the required experience and expertise with access controls to use and understand the results. Furthermore, even with access logging data there were gaps in understanding which access controls are applied, their order of operations, and to what resources. Fundamentally our customers wanted a simplified approach to the relationship between identities and resources on the platform.
Today, we are delighted to announce that we are improving access visibility on the Now Platform.
ServiceNow Access Analyzer, a key element of the Vancouver release, answers why a user, group or role can or cannot access a resource. It’s a critical component of identity and access management (who should have access to what vs what is granted), mitigating digital risk (access misconfiguration), and ensuring productivity (an identity should have access but blocked). To achieve these outcomes, we are empowering platform admins, security admins, developers, and support teams to take 4 simple steps using a self-service store application.
- Define your evaluation criteria.
- Review access results (is access allowed or denied).
- Dive into the details.
- Act.
Step 1 – Define your evaluation criteria
We wanted to start with the most common inquiries (based on support cases) for access visibility. Our intuitive interface makes it easy to select users, groups, or roles to facilitate comprehensive evaluations of access controls for critical resources like tables, client callable script includes, UI pages, or REST Endpoints. We wanted to provide enough granularity to ensure we have a robust solution while balancing usability and barrier to entry.
Step 2 - Review access results
Next, we focused on making sure the results were clear (simplicity). One of the challenges that Access Analyzer overcomes, is that with the various types of access controls on the Platform, it can be difficult to understand which are applied, in what order, to what resources and what is the overall result. Access Analyzer addresses these by presenting results in evaluation order, their status (allowed or denied) and what ACL roles may be required for an operation.
When it comes what is being evaluated, for the initial launch, we support scripts, iAccessHandlers, Data filters, and ACLs (we know there are more). These apply to specific operations, like read, write, report_on, etc. Next, we aid in understanding overall access by showing if access was passed/granted, blocked/denied, if it was skipped or if there was no rule defined. It’s important to note that a caution indicates the presence of script, and since scripts can be dynamic in nature or contextual its important their specific logic is reviewed to a complete picture of access. Again, simplicity was key, our goal was to help makes sense of access permissions in the most intuitive way we can (we know with time we can get better, like adding visualizations and comparing users).
Step 3 – Dive into the details
We wanted to extend the capabilities in our existing ACL debugging tools but make it readable and actionable. We once again help with understanding order of operations, which access controls (mainly business rules, ACLs, and security attributes) is governing access and what roles may be required to change the result to a “Passed”.
Step 4 – Act
We wanted to make sure Access Analyzer drives some sort of action. After evaluating and interpreting the results we provide several options on how to act. We have an Export button for sharing results, the ability to click a user, group, or role to modify group assignments, or modifying an access control and its policy.
You can further “Reanalyze” your evaluation criteria to see how changes to a user, group role or access control policy impact overall access to the same resource. The same evaluation criteria will be used and the results will simply show in the existing list with newer timestamps indicating more recent results.
Lastly, we wanted to provide a way to test the impact of changes. At any moment you can review run history to examine past results and the define evaluation criteria.
We are confident that these 4 steps while simple, will be useful to your organization to achieve some of the benefits we described.
Summary
ServiceNow Access Analyzer is an application that helps customers gain visibility and understand access permissions to resources on the ServiceNow platform. Understanding access permissions to resources on the Now Platform is critical request from customers and a first step on improving visibility as to “who has access to what” on the platform. It can be used for a variety of use-cases including risk remediation, security posture improvement, incident resolution, or aiding in application security design.
We are offering it as a value-add to the platform as we see it as an essential tool for those responsible for platform security and identity and access management jobs. We would be delighted to hear from you on how we can continue to improve its capabilities and use-cases that could be better served paired with Access Analyzer.
Next Steps...
- Download Access Analyzer from ServiceNow App Store
- Access Analyzer Overview Video
- Provide your comments and feedback on this post and give us a review on the ServiceNow store
- We will be posted regularly including regular updates and teasers of our roadmap
For more information visit: ServiceNow Zero Trust Access
Additional References:
Live Coding Happy Hour Demo and Overview
