- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2020 08:57 AM
When we stood up the Security Incident Response module, our request was that non-SOC members could not see the SIR, but could only be assigned SITs. Based on this, the appropriate groups were given the "response_task" Type and can be assigned tasks. However, we are having issues with these groups being able to see what is assigned to them. At this point, no one can see any tasks unless they get assigned to that person specifically.
Currently, no groups have the role "sn_si.external", which I've been taking a look at. This seems to give users visibility under "My Work" when they are assigned something specifically, but unassigned tasks cannot be seen under "My Groups Work", which is what we are trying to accomplish.
Solved! Go to Solution.
- Labels:
-
Security Incident Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2020 01:44 PM
Hey there,
You are on the right track. It sounds like we've adjusted the table level write ACL for (sn_si_task) so far.
Check out the additional field level write ACL entries on (sn_si_task); many of them point to the "assigned_to" person as well.
Some of field level ACLs point to fields that you may want external users to edit, and some of these you may not want external users to edit.
You can disable and re-create the appropriate write field level ACLs for (sn_si_task); that should get you a win. (For example, you may not want those users to be able to write to the short_description, priority or cmdb_ci field, etc)...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2020 11:24 AM
Hi Andy,
What exactly should be done here, I need my group member to be able to access the security tasks, should be able to access assign to field ect. There are two write ACLs which is making the complete form read only.
sn_si_task
sn_si_task.*
I removed both the lines of code, and added my roles snc_internal and sn_si.external in Roles rows in the write ACL for sn_si_task(one which you have given in screenshot) but it still did not work, the group members are still not able to edit the assign to field . I have even removed the code from sn_si_task.Assign_To write ACL.
Thank You!
Best Regards,
Manisha Maurya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2021 04:45 AM
Would just like to add that we requested ServiceNow to change this functionality. Roles with sn_si.external and type = Response Task can now (Quebec) see assigned and unassigned Response Tasks assigned to the group.
Edit: It seems it hasn't been fixed. See replies under Mihir's comment for solution.
I commented that it was fixed because ServiceNow has agreed that is an issue and said they would provide a fix on next major release, which was Quebec back then. We've had multiple tickets with them on this, explaining privilege of least privilege. Last ticket was fixed december 2021, the first ticket was create some time 2020.
They have been saying that this design is intended behavior, however I've multiple times explained the flaws and it seems they have finally come around to understand the issue with the latest tickets I've had with them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 04:31 AM
My instance is in Rome version and it still behaves the old way!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 04:37 AM
That's unfortunate, ServiceNow said they would fix it in the upcoming patch at the time which was Quebec. Let me see if I can find the XML files they provided to fix it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2022 05:18 AM
Alrighty, these are all the issues we've had with response tasks and how to solve them. All solutions have been provided by ServiceNow.
Some backstory first:
We want everyone to be able to work on response task, just the same as regular tasks. The good thing with Response Tasks and sn_si.external is that users can only see response tasks assigned to themselves (and with this solution provided, the group). We want this to work the same way as Incidents and Tasks. Helpdesk has control of the ticket and creates tasks when something needs to be done -> SOC owns the ticket, creates response tasks to be remediated by other teams.
The problem is when your company is quite large. Our SOC does not know which user can do what or happens to be sick, they only know that team A can fix problem A. Let's say you have a team of Windows engineers, and they don't work with Security Incidents. Principle of least privilege, they are not given access to security incidents. However, team Windows have be able to solve Windows issues that arises Security Incidents, so our SOC creates and assigns response tasks. That way, SOC owns the ticket and can follow up/report/escalate whilst Team Windows only need to focus on fixing whatever is in the response task.
TLDR: We have to be able to assign response tasks to groups outside SecOps
1. XML ACL rules to allow sn_si.external to see response tasks assigned to group.
Import the XML ACL to allow users to view group response tasks (1).xml
2. Disable rule <Assign to self> which will allow you to give response tasks to groups, and not just users.
https://YOUR-INSTANCE.service-now.com/sys_script.do?sys_id=7e7cfbf3b3f00300bfba81a516a8dcd5&sysparm_view=default&sysparm_view=default&sysparm_domain=null&sysparm_domain_scope=null&sysparm_record_row=1&sysparm_record_rows=41&sysparm_record_list=collection%3dsn_si_task%5eORcollectionINsn_si_task%2csm_task%2ctask%5ename%3e%3dInitially+assign+task+to+self%5eORDERBYname
3. When adding sn_si.external to groups outside SecOps, only sn_si.admin can modify group (add/remove users to that group)
When giving any sn_si. role to a group, only sn_si.admin can modify that group. We want sn_si.external to be excluded from that rule so Managers can again have control over their group.
From ticket:
Solution Proposed:
I was able to discover several approaches that can provide the required functionality:
1. Creating a scheduled job that would be run as a user with sn_si.admin role and is going to be adding the sn.si.external role to the users.
(please note that this functionality would be a custom implementation, and we would only be able to provide you a general guidance in developing this functionality)
2. Creating a new role in the Global scope - please see KB for more details:
https://support.servicenow.com/kb?id=kb_article_view&sys_kb_id=ca0472bcdb8438d066e0a345ca961980
3. Create a new one or use one of the existing roles that would be set in the 'assignable by' in the sn_si.external role.
(please refer to screenshots for more guidance)
4. If you wish to see this functionality in future releases please consider creating an enhancement request on the Idea Portal.
The Idea Portal is a new and improved method for you to submit product enhancement requests, view what others have submitted, vote on your favourite ones, and get feedback from ServiceNow product management.
We went for number 2, created a new sn_si.external role in Group scope and added the sn_si.external role to that role again.
4. Users with sn_si.external cannot assign response tasks to themselves (read only) when response task is only assigned to group
Import XML ACL to allow users assign response tasks to themselves.xml.xml from attachment