Security Incident Response - Task view for non security groups

Ravish Shetty · ‎09-10-2019

hi all,

We have some security incident tasks assigned to some other teams who might need read-only access to the incident ticket and also the assigned task.

I tried assigning sn_si.external and sn_si.special_access but ithe users are still unable to see the task.

Ravish

andy_ojha · ‎09-10-2019

Hey Ravish,

To confirm -> it sounds like you want to have a user that is not a Security Analyst (or a traditional SIR user), to have limited access to certain SIR records? Are you potentially re-assigning these SIR records to these "external" folks", or creating Security Response Tasks (SITs)?

I don't believe using <sn_si.external> will solve that for you, however <sn_si.special_access> might partially get you there.

sn_si.external

Using <sn_si.external>, you would need to assign this <role> to SN Groups that you anticipate creating / assigning Security Incident Response Tasks to. So if you have an SIR, you can create multiple SITs (Response Tasks) to External Teams (e.g. Task to block an IP addr, or disable an account, etc).

You would not be assigning an SIR record to these Groups; you would be creating Response Tasks from the SIR, and assigning those to these Teams.

The baseline SIR functionality, is that you must assign the SIT to an actual Assignment group AND Assigned to {user}. Also, these users would not be able to navigate to the SIR record, that the SIT (Response Task) was created for.

There is an ACL entry on Response Tasks for users with <sn_si.external> -> which only allows them to see Response Tasks that are assigned to them at the {user} layer.

They will nav to "My work"... to see their relevant SITs (Response Tasks).

sn_si.special_access

Using <sn_si.special_access>, there is no need to explicitly assign this <role> to a Group or User.

When you navigate to an SIR record, and look at the "special permissions" fields such as `Read access` and `Privileged access` -> by putting a user into these fields, the system will automatically grant them this role. Then, when that user logs into SN, they have a limited view into the SIR app (even without having any sn_si.* <roles>).

These users will only be able either 'read' or 'edit' explicit SIR records, where they have been granted access to -> i.e. `Read access` and `Privileged access`.

They will nav to "Security Incident" -> "Incidents" -> "Visible to me"... to see their relevant SIRs.

Reference - sn_si.special_access

Reference - sn_si.external

View solution in original post

Suraj35 · ‎04-16-2020

Thank you for getting back to me.

We are currently on the New York release, and the plugin version of SIR are as follows:

1. Security Incident Response - 9.0.1.

2. Threat intelligence - 9.0.1

3. Security support orchestration - 9.0.0

I will update the plugins and see if this fixes it.

Thanks again.

andy_ojha · ‎04-16-2020

Got it - a known issue that had this same impact was fixed in London, and appeared when Customer Service plugin was installed on the same instance.

By chance, has SIR been installed since ~Kingston on this instance, and upgraded since?

I'd open up a HI Support Ticket for a better look, it could be related to that known issue -or it might be different which they'd be better analyze:
- https://hi.service-now.com/kb_view.do?sysparm_article=KB0690258

Suraj35 · ‎04-16-2020

No, this would be a new NY instance. We did the required plugin updates, and this has indeed fixed the state field issue. Thank you for your help.

I will open an HI ticket.

Lord Omicron · ‎04-16-2020

We're on Madrid. Hi Ticket's been open for over a month now with no progress. on Version 9.0.1. We do not have Customer Service plugin installed.

Chris McDevitt · ‎04-17-2020

Suraj,

@Lord Omicron

Here is what I would do. Take a look at the ProcessDefinitionAjax 'execute' ACL and adjust it or adjust your users accordingly.