Security Incident Response - Task view for non security groups

Go to solution
Ravish Shetty
Tera Guru

‎09-10-2019 02:19 PM

hi all,

We have some security incident tasks assigned to some other teams who might need read-only access to the incident ticket and also the assigned task.

I tried assigning sn_si.external and sn_si.special_access but ithe users are still unable to see the task.

Ravish

0 Helpfuls
  • 3,847 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎09-10-2019 03:38 PM

Hey Ravish,

To confirm -> it sounds like you want to have a user that is not a Security Analyst (or a traditional SIR user), to have limited access to certain SIR records?   Are you potentially re-assigning these SIR records to these "external" folks", or creating Security Response Tasks (SITs)?

I don't believe using <sn_si.external> will solve that for you, however <sn_si.special_access> might partially get you there.

sn_si.external

Using <sn_si.external>, you would need to assign this <role> to SN Groups that you anticipate creating / assigning Security Incident Response Tasks to.  So if you have an SIR, you can create multiple SITs (Response Tasks) to External Teams (e.g. Task to block an IP addr, or disable an account, etc).   

You would not be assigning an SIR record to these Groups; you would be creating Response Tasks from the SIR, and assigning those to these Teams. 

The baseline SIR functionality, is that you must assign the SIT to an actual Assignment group AND Assigned to {user}.  Also, these users would not be able to navigate to the SIR record, that the SIT (Response Task) was created for.

There is an ACL entry on Response Tasks for users with <sn_si.external> -> which only allows them to see Response Tasks that are assigned to them at the {user} layer. 

They will nav to "My work"...  to see their relevant SITs (Response Tasks).

sn_si.special_access

Using <sn_si.special_access>, there is no need to explicitly assign this <role> to a Group or User. 

When you navigate to an SIR record, and look at the "special permissions" fields such as `Read access` and `Privileged access` -> by putting a user into these fields, the system will automatically grant them this role.  Then, when that user logs into SN, they have a limited view into the SIR app (even without having any sn_si.* <roles>). 

These users will only be able either 'read' or 'edit' explicit SIR records, where they have been granted access to -> i.e. `Read access` and `Privileged access`.

They will nav to "Security Incident" -> "Incidents" -> "Visible to me"... to see their relevant SIRs.

 

 

Reference - sn_si.special_access

find_real_file.png

 

find_real_file.png

 

Reference - sn_si.external

find_real_file.png

View solution in original post

Preview file
122 KB
Preview file
235 KB
Preview file
153 KB
15 REPLIES 15

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ravish Shetty

‎09-24-2019 07:25 AM

Hey Ravish,

Granting the <sn_si.external> role should be sufficient for your use-cases.  

  • This way, Teams outside of Security (e.g. who do not have <sn_si.analyst> or the other SIR roles) -> can be assigned Security Response Tasks and see their work.
  • This allows the Security Analyst (or your workflow), to create these Response Tasks for these external Teams
  • In the case of the Lost Mobile Device, the "Mobility Team" would receive a Response Task that they action, without needing access to the Parent SIR record.

If your Security Team has special scenarios, where they want to allow "non-Security" or "non-SIR" users to see or update an SIR record:

  • They can optionally add a specific SN User, to one of the `Read access` and `Privileged access` fields directly on the SIR record
  • This will automatically apply the <sn_si.special_access> role to the SN User 
  • You should not need to explicitly grant the <sn_si.special_access> role to users

Hope that helps.

Go to solution
Ravish Shetty
Tera Guru
In response to andy_ojha

‎09-24-2019 01:59 PM

that's great. thanks for the response.

 

Ravish

0 Helpfuls

Go to solution
Lord Omicron
Giga Expert
In response to andy_ojha

‎02-06-2020 06:47 AM

What I've seen though is that the assignee cannot update the state of the task. When impersonating the assignee, I can update work notes but the State field goes blank along with the drop-down list. This is even with the sn_si.external role. Is there something else that needs to be set?

 

Preview file
26 KB

Go to solution
Suraj35
Kilo Contributor
In response to Lord Omicron

‎04-16-2020 08:56 AM

Just bumping this thread up to see if anyone was able to resolve this issue.

Thanks.

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Suraj35

‎04-16-2020 10:53 AM

Hey there,

If you are seeing the issue of, users going to Response Tasks and not able to choose any state value - there is a known issue for this, that I believe is resolved now.

What version of ServiceNow, and what version of Security Incident Response are you using?