Need to allow sn_si.external role users to read SIR records

Pooja P · ‎03-24-2025

Hi Team,

We need to allow sn_si.external users to read the SIR records of their department alone. To achieve that we have created read ACL sn_si_incident,* (table + fields) and gave roles (sn_si.external) but that ACL is not working and when impersonating as user having sn_si.exteranl role we can not see any SIR record.

Kindly suggest Thank you,

@andy_ojha

Pooja

Ankur Bawiskar · ‎03-24-2025

@Pooja P

any query BR is blocking?

did you debug using access analyzer and see which ACL is blocking?

Did you create table.None READ ACL as well?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Pooja P · ‎03-24-2025

Hi Ankur,

Thank you for quick response,

1.any query BR is blocking? ---there is one OOB BR Omit Restricted Security Incidents but i do not think so it should be blocking

2. We tried enabling debugging but can not see exact one

3. yes we tried created table.none also as extra ACL created but no help

andy_ojha · ‎03-24-2025

Generally speaking - the <sn_si.external> role and SIR External User Persona - would not have access to Security Incidents. They primarily work with Security Incident Response Tasks.

It sounds like you'll need to venture down the path of customization here depending on your requirement.

Can you share a bit more about the use-case? What is the persona in question, will they only need read access to Security Incidents or also Response Tasks?

How will the ACLs dynamically know, which records to filter and grant access to?

Security Incidents are assigned to User Groups and not Departments, by chance is the requirement to grant Read access to Security Incidents that are assigned to their Team (i.e. User Group) - for a subset of users that are not acting as Security Analysts?

There is a read role in SIR - but that grants access to all Security Incidents (read) regardless of who the Security Incident is assigned to.

You may want to venture down the path of investigating introducing a new role in the <sn_si> scope, for the table (presumably Security Incidents), and then you structure your ACL accordingly to grant them Read access to the subset of records based on your condition. You'll have to plan for the logic of taking something from the currently logged in user and searching against the fields on the SIR record (e.g. Assignment group, etc).

If you have not already explored the NOW Platform "Access Analyzer" would check that out - it is a neat utility for your configuration efforts to see how a user is granted to denied access to a given record, compare permissions between two different users, etc -> https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/identity/concept/ac...

Pooja P · ‎03-24-2025

Hi @andy_ojha , Here is the use case - On domain separation

1. we have created custom field called as BU on group table referring to business_unit table.

2. We have again created custom field as BU on SIR which is referring to business_unit only.

3. users with sn_si.external should see the SIR records with following conditions -

if user is part of a group with BU as X then he should see only SIR records with BU as X only.

if user is part of more than one group he should be able to see the SIR records of that BU.

we are trying to create a read ACL with sn_si.external role with scripting as to check condition to fetch users groups' BU and match to BU of SIR the return True but failing to achieve.

Thanks,

Pooja