- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-06-2018 08:15 AM
We have a data archive of Change Requests. Some of those CRs have NERC sensitive data that can only be viewed by NERC CIP authorized users of the system.
Is it possible to restrict the ability to view the NERC sensitive, archived CRs to authorized users?
We have a field we can use to identify the NERC CRs and we can identify the authorized users, how would you recommend going about setting up the restriction?
Solved! Go to Solution.
- Labels:
-
Platform and Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2019 11:57 AM
According to HI Support tech, there is no way to apply restrictions to an archive, and the restriction on the source tables for the archived data don't apply in the archive. This seems to be because the archiving process flattens out the data, rather than simply creating archive tables that are copies of the source tables for the archive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-06-2018 08:43 AM
Modifying the existing 'read' ACL for the affected table would be the way to go. It would be easiest to tie a role to the group you are mentioning, but if need be, you can probably take care of the restriction with the Condition Builder or Script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-06-2018 12:21 PM
Piggy-backing off of Shane's response:
If your new to ACLs I highly recommend spinning up a personal developer instance and playing around with proof of concepts first. They can get pretty complicated and sometimes take trial and error and it can be frustrating to navigate the ACL menu since they are all named the same. Also be sure to provide each ACL rule a clear description in it's description field (it may be necessary to edit the form to get the description field to show up.) This will end up being the main way you navigate ACLs when your looking at them in a list.
Also I wanted to tell you that when you get the ACL set up the way you want your users will see a message like 'x records are not shown due to security constraints' and the page-size doesn't take into account the security filtered records. So if you have a page size of 50 servicenow first throws up the first 50 records that match the query, then takes away anything you don't have permissions to see. So in theory a user could see 3 records with 47 removed and have to go to the next page to see what else they can see.
The way to solve that is to create an 'onQuery' business rule that runs if the users aren't on the list of people who can see your NERC data and forces the query to filter out NERC data.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2019 11:57 AM
According to HI Support tech, there is no way to apply restrictions to an archive, and the restriction on the source tables for the archived data don't apply in the archive. This seems to be because the archiving process flattens out the data, rather than simply creating archive tables that are copies of the source tables for the archive.
