Data Separation for Planning Items

phil_bool_unifi · ‎11-14-2024

Hey SPM Community,

I was a bit surprised to find that, whilst the Data Separation plugin hides Projects and Demands successfully, the Planning Items created from those Projects and Demands are not hidden by the same engine. I recognise the Planning Item table isn't covered in the list of captured tables, but since this service requires a lens to work (only introduced when using Portfolio Planning / Strategic Planning) I'd expected this to be included.

I'm now looking at two possible approaches, and I'd like your feedback or suggestions:

Firstly, can we extend the existing Data Separation functionality to Planning Items? Has anyone tried this? My first, quick exploration into this suggested you can't create custom ACL's on the Planning Item table, so even if we added the Planning Items table as a supported table, and extended the script to run the same checks using the equivalent fields on planning items, this wouldn't be a complete or effective solution. Has anyone got an approach that works for this?

Secondly, although less desirable, my fallback approach is to prevent Data Separated items from creating planning items. That should be possible by updating the Planning Item Integration to ignore records that don't have the 'group for non data separated entities' in the 'data separated groups' field. However, there's the possibility a project or demand will be added to a secure portfolio after creation, so I need to use a Flow or Business Rule to check if this value changes on a project/demand that has already had a planning item created, and if so, delete the Planning Item. This doesn't seem like rocket-science, but feels scruffy. Has anyone tried this, or anything similar? Any experiences to share would be appreciated.

phil_bool_unifi · ‎11-19-2024

Okay, if anyone is reading this in the future, I've heard from Hi today that Data Separation is not getting any more enhancements, and is deprecated from Yokohama.

If anyone has any insight into how 'marking projects as confidential' will be possible in Yokohama, please add a reply here or message me!

Hi said:
As per our discussion over call with our internal team, we got to know that
1. SPM Data separation will not be getting any more enhancements. We are planning to deprecate in Yokohama time frame.
2. There are enhancements coming to ACLs and Data filters which will help make it easier to implement data separation use cases. Some enhancements are available with Xanadu and a few more will be coming in Yokohama and Zurich.
3. We are collecting use cases and intend to publish recommendations and how-to guides for commonly observed data separation scenarios.
4. We are working on adding the ability to mark projects as confidential. This functionality will tentatively be available in Yokohama.
We are not supporting this app further and there will be platform solution in Y that you can leverage to implement data security.

View solution in original post

phil_bool_unifi · ‎11-15-2024

*bump*

Joseph Charlie · ‎11-18-2024

We were able to set a field on the Demand record is confidential, then modified the existing OOB read ACLs to check if that field was false. A new ACL on the Demand record was created where we used a script to evaluate.

The Planning item table was the same approach creating an ACL on sn_align_core_demand.

Additional work would be needed to handle other records such as stories but we are not there yet.

phil_bool_unifi · ‎11-18-2024

Interesting - it sounds like you've not leveraged the data separation plugin at all? Did you consider it?

Joseph Charlie · ‎11-18-2024

We did look at the Data Separation plugin however it required roles for access. Because of this we opted to use ACLs based on fields of the demand so that we would not have to create several roles and links from ServiceNow and Azure. Based on our scripting if the Demand is marked confidential, if the user is listed as the Demand Manager, in the Assignment Group, or as a Collaborator access is granted. If you have a small organization and can manage with roles that may be the option, it was not for us.