Security Incident Response - Task view for non security groups

Ravish Shetty · ‎09-10-2019

hi all,

We have some security incident tasks assigned to some other teams who might need read-only access to the incident ticket and also the assigned task.

I tried assigning sn_si.external and sn_si.special_access but ithe users are still unable to see the task.

Ravish

andy_ojha · ‎09-10-2019

Hey Ravish,

To confirm -> it sounds like you want to have a user that is not a Security Analyst (or a traditional SIR user), to have limited access to certain SIR records? Are you potentially re-assigning these SIR records to these "external" folks", or creating Security Response Tasks (SITs)?

I don't believe using <sn_si.external> will solve that for you, however <sn_si.special_access> might partially get you there.

sn_si.external

Using <sn_si.external>, you would need to assign this <role> to SN Groups that you anticipate creating / assigning Security Incident Response Tasks to. So if you have an SIR, you can create multiple SITs (Response Tasks) to External Teams (e.g. Task to block an IP addr, or disable an account, etc).

You would not be assigning an SIR record to these Groups; you would be creating Response Tasks from the SIR, and assigning those to these Teams.

The baseline SIR functionality, is that you must assign the SIT to an actual Assignment group AND Assigned to {user}. Also, these users would not be able to navigate to the SIR record, that the SIT (Response Task) was created for.

There is an ACL entry on Response Tasks for users with <sn_si.external> -> which only allows them to see Response Tasks that are assigned to them at the {user} layer.

They will nav to "My work"... to see their relevant SITs (Response Tasks).

sn_si.special_access

Using <sn_si.special_access>, there is no need to explicitly assign this <role> to a Group or User.

When you navigate to an SIR record, and look at the "special permissions" fields such as `Read access` and `Privileged access` -> by putting a user into these fields, the system will automatically grant them this role. Then, when that user logs into SN, they have a limited view into the SIR app (even without having any sn_si.* <roles>).

These users will only be able either 'read' or 'edit' explicit SIR records, where they have been granted access to -> i.e. `Read access` and `Privileged access`.

They will nav to "Security Incident" -> "Incidents" -> "Visible to me"... to see their relevant SIRs.

Reference - sn_si.special_access

Reference - sn_si.external

View solution in original post

ServiceNow De17 · ‎11-12-2020

Hi Andy,

your answer was very helpful, thanks for that. I have a different scenario I hope if you could help me please.

I have a user who has snc_internal role and service_fulfiller , I should not give any sn_si. role to this user this is one restriction i have .

so far the user is able to access security incident tasks, the task which is assigned to him he can edit those tasks, which is fine. I have a problem with the tasks which is not assigned to him but the tasks are assigned to his group.

I need to make this user to be able to edit few fields of the task even if it is not assigned to him, only it is assigned to his group(Group tasks: Currently it is complete read only)

I also modified few ACL, i created a acl for one field due to which the user can edit that field, but he can edit it only when it is assigned to him. The group tasks he can not at all edit. I found read acls, write acls for sn_si_tasks.. modifying these did not help me.

Thank You 🙂