External Access for Security Incident Response Tasks

rcarmack1 · ‎02-28-2020

When we stood up the Security Incident Response module, our request was that non-SOC members could not see the SIR, but could only be assigned SITs. Based on this, the appropriate groups were given the "response_task" Type and can be assigned tasks. However, we are having issues with these groups being able to see what is assigned to them. At this point, no one can see any tasks unless they get assigned to that person specifically.

Currently, no groups have the role "sn_si.external", which I've been taking a look at. This seems to give users visibility under "My Work" when they are assigned something specifically, but unassigned tasks cannot be seen under "My Groups Work", which is what we are trying to accomplish.

andy_ojha · ‎03-02-2020

Hey there,

You are on the right track. It sounds like we've adjusted the table level write ACL for (sn_si_task) so far.

Check out the additional field level write ACL entries on (sn_si_task); many of them point to the "assigned_to" person as well.

Some of field level ACLs point to fields that you may want external users to edit, and some of these you may not want external users to edit.

You can disable and re-create the appropriate write field level ACLs for (sn_si_task); that should get you a win. (For example, you may not want those users to be able to write to the short_description, priority or cmdb_ci field, etc)...

View solution in original post

andy_ojha · ‎02-28-2020

Hey there,

Can confirm that what you are seeing is the baseline functionality.

Users without at least 'sn_si.read', can only see the Response Tasks where they are the Assigned to (as in, Assignee).

As others have mentioned, your best bet would be add new ACL entries on the Response Task table, that aligns to access based on membership of the records Assignment group, as opposed to being the Assignee - which is a totally reasonable requirement as folks go on vacation, etc.

The <sn_si.external> role won't really help out here; it primarily grants access to some of the baseline Application Modules and a Homepage for "external" folks to see their assigned Response Tasks - but again, driven by being the "assignee"...

Having `User Groups` set to the Type of "response_task" is needed here, for the the Groups that we want to assign Response Tasks to, in combination with the adjusted ACLs.

Reference (New York):

rcarmack1 · ‎03-02-2020

@./andy-b2poYQ== or @Sanjiv Meher

Thanks for the input so far. I have modified the sn_si_task ACL to also include "gs.getUser().isMemberOf(current.assignment_group)". However, nothing seems to have changed - the user can only see tasks assigned to him/her, but not unassigned tasks that are assigned to the group only. The group also has the group type "response_task". Am I still missing something?

rcarmack1 · ‎03-02-2020

Actually, replacing the isMemberOf with "gs.getUser().isMemberOf(current.assignment_group.getDisplayValue())" is now allowing the group assigned SITs to appear in My Groups Work. However, these are only Read Access. The write ACL isn't going in to effect, only the read ACL (both were edited).

andy_ojha · ‎03-02-2020

Hey there,

You are on the right track. It sounds like we've adjusted the table level write ACL for (sn_si_task) so far.

Check out the additional field level write ACL entries on (sn_si_task); many of them point to the "assigned_to" person as well.

Some of field level ACLs point to fields that you may want external users to edit, and some of these you may not want external users to edit.

You can disable and re-create the appropriate write field level ACLs for (sn_si_task); that should get you a win. (For example, you may not want those users to be able to write to the short_description, priority or cmdb_ci field, etc)...

ServiceNow De17 · ‎11-12-2020

Hey,

Did you get the solution? 🙂 .

Thank You!

Best Regards,

Manisha