Restrict the user's access based on Multiple Levels

jaanamchawla
Tera Contributor

I need to fulfill a requirement in ServiceNow to restrict the user's access based on region, then based on data, there are 2 levels of filter or checks after that it will be decided whether that user can read that read or not.  I want to keep the data restricted for platform users and integration users (both).

Lets take an example :
I want an agent user of particular region should be able to see only his region's records.  Similarly I want to add multiple filters like:

Demographic Based:
-Region (like APAC, EA)
-Country (India, Japan)
-Zone (CEET)
-Business Line (AU, MX, TR, MGN)

Then Data Based:
Business Line (AU, MX, TR, MGN)
Business Organization (IT, CS, SL)
Sales Type (HW1, SW
1,DG1)

Can sales territory management fulfill this requirement? If not what will be the best approach to fulfull this requirement?

-Before Query Business Rules?
-ACLs?

1 REPLY 1

pavani_paluri
Kilo Sage

Hi @jaanamchawla,

 

For this requirement, Sales Territory Management (STM) is not the right solution.

STM is designed for account/opportunity ownership, territory assignment, and sales alignment, not as a platform-wide data security framework. While territory data can influence visibility in Sales applications, it will not provide a scalable and secure mechanism to enforce record-level access across all platform users and integration users.

 

For your use case, I would recommend using ACLs as the primary security mechanism, with Before Query Business Rules as an optional performance optimization.

 

We need to restrict record visibility based on multiple dimensions such as Region, Country, Zone, Business Line, Business Organization, and Sales Type. These restrictions should apply consistently to both platform users and integration users.

 

Since this is fundamentally a record-level security requirement, ACLs are the most appropriate solution. ACLs are enforced across the platform, including forms, lists, APIs, Workspace, and integrations, ensuring that unauthorized users cannot access records even if they know the record's Sys ID.

 

A scalable approach would be to maintain the access attributes (Region, Country, Zone, Business Line, Business Organization, Sales Type) against users through a mapping table or related records. The ACL can then evaluate whether the user's allowed values match the values on the record before granting access.

Before Query Business Rules can be used in addition to ACLs to filter records from list views and improve performance by reducing the volume of data returned to users. However, they should not be relied upon as the sole security mechanism because they do not provide complete protection across all access channels.

 

Therefore, the recommended design is:

ACLs → Primary security enforcement.
Access Mapping Table → Store user-to-region/business access relationships.
Before Query Business Rules (optional) → Improve user experience and query performance by pre-filtering records.

This approach will ensure that both agent users and integration users can only access records that match their permitted Region, Country, Zone, Business Line, Business Organization, and Sales Type combinations.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P