Project Security - Confidential Flag

Maureen Roberts · 3 weeks ago

We have been experimenting with the confidential flag to prohibit Contracted PMs from seeing other projects. The only way I can see this being workable is if ALL projects are automatically marked as Confidential, and the PMs can ad hoc allow contracted PMs as allowed users.

Are there any other recommendations as to how to implement this?

Kieran Anson · 3 weeks ago

Hi Maureen,

The Project Advanced Security plugin is indeed intended for the inverse of what you're wanting. There isn't an OOTB. Your ServiceNow team could introduce additional Deny-Unless ACLs to deny access to projects unless the user meets a certain criteria. An option could be to:

Create a new role e.g "employee_project_manager"
Create Deny-Unless ACLs on pm_project and related tables that unless you're the PM of the project, you can't see a project record unless you have the above role

Alternatively, a before query rule could be used:

Create a new role "contractor_project_manager"
Create a before query rule that only runs if the user has this role
Filter out project record visibility to only records where the user is the PM of the project

Maureen Roberts · 3 weeks ago

If we use this solution, will the employee PMs still be able to use the Confidential Flag as well? (Silly question, I hope, but I have to ask because we could still use some use cases to restrict projects from employees as well.)

Kieran Anson · 3 weeks ago

They should be able to work independently. They're additive to each other 🙂

Ravi54 · 3 weeks ago

If the process is Standardized (across the Org) you can base the ACL on the user record as well. This will reduce the need for maintaining separate Groups (What happens if the user is in both groups?).