Assignment of Security Incidents to Non Sec Ops staff

Collette1 · ‎02-15-2019

Hi,

A member of the security team has asked me if there is a way to assign a security incident to an individual, so that only they can see it.

From my research, I can see that I would need to set up new groups so they are available for the Sec Ops team to select from, but I would then need to assign an sn_si role to this group, to enable the user to see the security incident.

This means the user could then see any other security incidents, which is not what we want to happen.

Is there any way that just 1 security incident can be assigned to someone, and no one else other than them or the security team can see it

Thanks

Collette

andy_ojha · ‎02-15-2019

Hey Collette - In your use-case, are you trying to assign the SIR record to someone that does not have an SIR role (asking based on the description of the post - i.e. Non-secops staff)...

There's actually a really neat baseline feature that offers a similar functionality for allowing non-SIR users access to SIR records.

There is a 'Special Access' role included with SIR (sn_si.special_access).

If you navigate to an SIR record, look for the list fields `Read access` and `Privileged access`. If you set a user into these fields, they can have special access to the SIR record, without having an SIR (sn_si.*) role.

This doesn't necessarily mean the SIR record is assigned to them, but they can either view or view/edit the explicit SIR record, where their account has been specified as either <read> access or <read/write> access to (Privileged access).

https://docs.servicenow.com/bundle/istanbul-security-management/page/product/security-incident-response/reference/r_UserRolesSecIncdRsp.html

-------------------

For restricting access to an SIR record (so that only the Assigned to person can see it), you'd be looking at locking down access to the SIR record for someone that has an SIR role..

So, I don't believe this would solve your use-case (granting someone outside of security, access to an SIR record so they can see it).

-------------------

To solve the use-case you are describing, can you explore using the Security Incident Task (SIT) / Response Tasks?

They are designed to assign work to folks outside of the Security Team.

Baseline, only the users that are set in the 'Assigned to' field can see the Security Response Tasks, and these folks usually do not have access to the SIR record. Users with SIR permissions can still see these Response Tasks, but users without SIR permissions can only see the Response Tasks assigned to them.

This probably where you would solve your use-case rather than granting them access to the SIR record...

-------------------

Reference - Special Access

View solution in original post

Uncle Rob · ‎02-15-2019

The other thing you'll have to worry about is whether or not granting that role incurs extra cost.
I can't remember... does Security Incident have access to Incident Task? That might be a way to get non-secure information to a "neutral ground" that a common ITIL user could see.

The whole point of Security Incident is to provide eyes-only access, so I wouldn't try to solution THROUGH that barrier, but around it.

andy_ojha · ‎02-15-2019

Hey Collette - In your use-case, are you trying to assign the SIR record to someone that does not have an SIR role (asking based on the description of the post - i.e. Non-secops staff)...

There's actually a really neat baseline feature that offers a similar functionality for allowing non-SIR users access to SIR records.

There is a 'Special Access' role included with SIR (sn_si.special_access).

If you navigate to an SIR record, look for the list fields `Read access` and `Privileged access`. If you set a user into these fields, they can have special access to the SIR record, without having an SIR (sn_si.*) role.

This doesn't necessarily mean the SIR record is assigned to them, but they can either view or view/edit the explicit SIR record, where their account has been specified as either <read> access or <read/write> access to (Privileged access).

https://docs.servicenow.com/bundle/istanbul-security-management/page/product/security-incident-response/reference/r_UserRolesSecIncdRsp.html

-------------------

For restricting access to an SIR record (so that only the Assigned to person can see it), you'd be looking at locking down access to the SIR record for someone that has an SIR role..

So, I don't believe this would solve your use-case (granting someone outside of security, access to an SIR record so they can see it).

-------------------

To solve the use-case you are describing, can you explore using the Security Incident Task (SIT) / Response Tasks?

They are designed to assign work to folks outside of the Security Team.

Baseline, only the users that are set in the 'Assigned to' field can see the Security Response Tasks, and these folks usually do not have access to the SIR record. Users with SIR permissions can still see these Response Tasks, but users without SIR permissions can only see the Response Tasks assigned to them.

This probably where you would solve your use-case rather than granting them access to the SIR record...

-------------------

Reference - Special Access

Uncle Rob · ‎02-15-2019

NICE!

Collette1 · ‎02-15-2019

Thanks both, I will have a play with that option and put it forward to the Sec Ops team. I will mark as correct answer for now, as it may take a while for the sec ops team to get back to me