Set record-level permissions in the Security Incident application

Alex Litvak · ‎10-20-2023

In the Security Incidents application. I’m looking for a technique on how to restrict access to the records. A user who is currently login can see and edit only records that he assigned to.

andy_ojha · ‎10-25-2023

Hey there - unfortunately no, this feature is managed the the SIR Admin persona.

That said - I don't think Security Tags and Enforce Restriction, will meet your use-case - it only helps restrict Security Incidents to a given User Role (or Group). It won't help you restrict Security Incidents to the current Analyst (locked down to the Assigned to).

In order to fully lock down the Security Incident to only the 'Assigned To' person, you will have to create New ACLs, and possibly a custom role.
- ACLs require -> 'security_admin' role in ServiceNow.

Would strongly suggest looking at / starting with limiting access to the subset of Security Incidents tied to the Forensics Team. This way, those Security Incidents can only be accessed by the Forensics Team. This still offers the ability to lock down the records - and gives your users something to adopt and grow into.

Locking down the Security Incident to just the Analyst can be a future area.

As mentioned before - it can be done, but there may be some technical debt and process wrinkles to sort through.

Another idea - have a field on the SIR Record for the Forensics folks to track any sensitive data they have - and make that field read / visible to only them. That would get you the best of both worlds and balance your tech debt... You could lock that field down to a given role (via ACL) , and get that role to the Forensics Team only.

Alex Litvak · ‎10-25-2023

Hello,

I like your idea of creating a new field and locking that field down to a given role. How about a Major incident module? Can I accomplish my goal there?

Thanks