Intro
Application development on the Now Platform can help developers of all levels be faster and more efficient in delivering value. Low-code and no-code development can enable organisations to expand their application development beyond their development teams to include citizen developers who can further support speed and innovation.
On the other hand, a development leader or a technical architect will always be necessary to help guide or coach development across the company and harmonise the development activities. The development lead is expected to be someone with advanced Now Platform knowledge who can design, build, and customise ServiceNow applications and services.
The actors mentioned in the previous paragraph will work across the enterprise, supporting the development lifecycle. They should have a software development background enhanced by training in ServiceNow system administration, scripting, and application creation.
With this article, we want to stress the importance of knowing ServiceNow’s existing applications architecture before creating a solution for a new custom app or supporting a project where a custom app is required.
Personal and Sensitive Data - A Common use case
ServiceNow App Engine allows the creation of different types of powerful digital workflow apps to connect people and processes. Any organisation can easily cover the following areas.
- Service management to improve access to service and increase service efficiency.
- Orchestration to connect complex systems, people, and processes together in a single digital workflow.
- Engagement Portals to provide users a consistent, consumer-like experience for all service requests.
- Case Management to capture and track a wide range of interactions with people and companies.
Industries such as Education (primary, secondary and higher education), Healthcare and Life Science can be perfect candidates for creating new innovative applications in ServiceNow. Unfortunately, the information they need to manage and handle is highly regulated and requires superior security and care.
We can easily predict the necessity to store sensitive and personal data for the industries mentioned in the previous paragraph if a company would like to manage students’ or patients' information on the Now Platform.
Details about general and specific health conditions (e.g. mental) affecting patients, marks, exams results or disciplinary curriculum fall under the category of sensitive data according to GDPR. We have the perfect storm if we include more necessary details such as date of birth, social security numbers, residential address, and family details (e.g. relatives, siblings).
Users or something else
It is not essential if we want to create a custom application supporting students or patients; we still need a place to store the data, and searching the Now Platform baseline database is our starting point.
Suppose we apply a simple logic when thinking about students or patients, and we follow ServiceNow's golden rule and best practice about leveraging the existing platform's capabilities. In that case, we can identify them as users. This brings us to the 'User' [sys_user] table, one of the essential pieces of foundation data available in the system, as a possible solution for our use cases.
If we study the existing sixty-two columns available in the dictionary; it’s easy to understand that the information included in the table is intended to define a corporate user and used for authentication. Nothing sensitive is stored, excluding a few columns that can be considered personal (e.g. home phone, email, name and surname).
Compared with the baseline approach followed by ServiceNow, we need something different that won't affect the actual architecture granting a higher level of security. These are not your ordinary ServiceNow users, and to get a possible solution, we can take inspiration from a specific application.
The HR application lesson.
If we look around, Human Resources is one application with a few exciting contacts points with the use cases previously introduced. HR professionals require access to confidential and sensitive data, such as names, personal contact information, email addresses, employment history, and contacts. The data must be segregated from other processes, and also the admin role must be restricted to get access to the data.
The sensitive data hasn't been included in the ServiceNow HR application as part of the existing 'User' [sys_user] table, nor has the table been extended to be a new class of users. ServiceNow core designers decided to de-couple the information creating a brand new scoped table named 'HR Profile' [sn_hr_core_profile].
HR Employee Profile enables the organisation to access and track employee information throughout the period of employment and beyond. HR profile records are associated with user records through a reference field, but unlike user records, HR profile records are stored confidentially and are not publicly viewable.
We can apply the same principle to any application that requires an higher level of security creating this bastion around the information. A mix of ACLs, basic scoped application rules about data separation and if necessary the restricted caller access set up will make things bullet proof.
Kudos to Mr
