Security on PPM - Projects and related records

deekark · ‎09-27-2016

My company recently bought PPM. They like it for the most part but have a new requirement.

The problem they are facing is if they use roles then anyone with that role can see the project but they want access to be configured for each Project at row level. The reason for this is they have vendors working on their Projects and they don't want them to see what other vendors/projects they are working with. So basically the Project Manager will decide who can view/Update a Project. Each Project (and related records) will have its own list.

The way I am thinking about designing this is to add a read/write watchlist macro on the form and have Project Managers maintain it. I can turn off all role based security or/and add an ACL that checks if 'User belongs to the list on project' and it looks like I have to add this ACL to all related records to inherit this security (Or maintain a seperate list on each record to provide individual access.control) This would totally override the role based access, I figured I wont need roles since all of the access is controlled by the list on the Project.

I see a lot of limitations and drawbacks of this design as well as but can't think of any better solution.

Looking for any solutions/recommendations/suggestions..

corbettbrasing1 · ‎09-29-2016

Ok so let me correct myself from earlier. Just adding a more strict ACL will not prevent access I was thinking of something else. This is from the Docs."

If two or more rules match at the same point in the processing order, the user must pass any one of the ACL rules permissions to access the object.

For example, if you create two field ACL rules for incident.number, then a user who passes one rule has access to the number field regardless of whether the user failed any other field ACL rule at the same point in the processing order."

So here is what you want to do:

1. You still want to use the OOB roles so that when they DO have access they can access the rest of the record the way PPM intends

2. You only need to restrict OOB READ ACLs. Write and delete both require passing read so the read ACLs are the only ones you will need to add conditional to.

3. Create that additional role "CompanyName_Project_Manager" (or whatever)

4. Then to go your ACLs: System Security >> ACLs >> search name for "pm_project"

5. Add this into the script, do NOT update role conditions, this needs to be evaluated seprately.

"gs.hasRole("yourRoleName");//make sure you change this to the exact name of your role

This will limit record acess like you want in a simple way.

6. Create an ADDITIONAL but seperate ACL to pm_project that is READ to project Record access where if they are in the watch list they can view:

add this into the script, make sure advanced is checked.

answer = (current.watch_list.toString().indexOf(gs.getUserID()) != -1 );

This should work like a Charm!!

Assuming this answered your question, please MARK ANSWERED and also mark helpful and like each of my posts in this chat. Thanks!

Corbett Brasington, PMP, CSM

deekark · ‎09-29-2016

see if I understand this correctly. Here is a list of Use cases, according to what I understand your solution will grant access to Project 3 but I want it to be completely driven by the watchlist (Shown in table 2)

ASSUMPTION: If two or more rules match at the same point in the processing order, the user must pass any one of the ACL rules permissions to access the object.

User has oob pm_user role

Pre requisites:

Custom role created : pm_custom

Added a User watch list on Project Form

ACLs Created — 1) on Project , Read, Condition = user has custom role 'pm_custom' (ACL1)

2) On Project —Read — condition = User is member of the watchlist (ACL2)

Table1 - Use Case matrix:

Project Records	User has Role? pm_custom	User on Watch list?	ACL1 result	ACL2 result	Access Granted
Project 1	Y	Y	T	T	Y
Project 2	N	Y	F	T	Y
Project 3	Y	N	T	F	Y
Project 4	N	N	F	F	N

Table2 - What I need:

Case	User has Role?	User on Watch list?	ACL1 result	ACL2 result	Access Granted
Project 1	Y	Y	T	T	Y
Project 2	N	Y	F	T	Y
Project 3	Y	N	T	F	N
Project 4	N	N	F	F	N

corbettbrasing1 · ‎09-29-2016

The additional PM custom role you would not give out to your vendors and you would NOT include it as part of the role in "it_project_manager" so you have complete control over who gets it. Adding in "gs.hasRole("yourRoleName"); to the script for each OOB read ACL will require ANY user to either have that new to gain access to project records.

The 2nd ACL will give access if they are on the watch list. Someone has to be able to add people to the watch list though. They need access to the project to be able to to do that. You mentioned that your project managers would maintain the watch list. Your internal PMs would just have that new role, and anyone who only has it_project_manager and that it wont get access to the projects. Am I missing something?

corbettbrasing1 · ‎09-29-2016

The thing you can do is use on ON BEFORE QUERY Business rule which you can find here

Controlling record access using 'Before Query' business rules - ServiceNow Guru

deekark · ‎09-30-2016

Thanks a lot for your patience here. I think I am missing something. According to your design, If I take case 3(Project 3) in Table 2 above, The user will be allowed access or not ?