How can I hide sensitive data, that is stored in variables, with an ACL?

Casey23
Tera Guru

We are creating some new catalog items for HR and Payroll. I started with HR and have the catalog item completed, but now I need to hide the data from non-HR users. I created a read ACL as you can see in the attached image. To me it seems like it's setup correctly, but it's not working. If I impersonate an ITIL user, that user is able to see all of the variables and their values. I have confirmed that the ITIL user doesn't have the admin or Human Resources role that I'm using in the ACL. Any ideas what I might be doing wrong here? TIA

 

PS - The condition that was cut off at the bottom is just looking for the name of the item and is returning the correct number of matching records.

 

acl.png

1 ACCEPTED SOLUTION

Mike_R
Kilo Patron
Kilo Patron

Go to the configuration for the variable, and in the permissions tab you can apply which roles can read, write, create.

Example

Mike266_0-1665110222313.jpeg

 

 

View solution in original post

5 REPLIES 5

Mike_R
Kilo Patron
Kilo Patron

Go to the configuration for the variable, and in the permissions tab you can apply which roles can read, write, create.

Example

Mike266_0-1665110222313.jpeg

 

 

Thank you for the reply! After checking out this solution, it seems to work as expected. As a user who doesn't have read access, I am unable to see the data in the sc_req_item table, I'm not seeing the data if I create a report and look at it from a list view, or if I inspect the elements on the page using the browser's dev tools. 

 

This does raise a couple of other questions for me though. Does this mean an ACL isn't the best path for hiding variable data on the form? Am I missing other possible "holes" in security where a user without the correct role could still find this data? Lastly, is there a way to quickly apply the roles to multiple variables on the form, or do I have to go one by one?

These are essentially the "ACLs" for variables and is the recommended way. If you are looking to restrict the whole RITM & SCTASK, and not just the variables, then use the traditional ACLs.
Make sure you do not have any email notifications that contain the variables because it will still show in the email logs, etc.

 

And unfortunately you'll need to go through them one by one.

I just tried this myself and it blocked the variables on the portal as well did I do something wrong?