Exploring Data Separation
Learn about the features, configuration, and benefits that Data Separation provides.
Data Separation overview
Data Separation helps you restrict data in ServiceNow® Strategic Portfolio Management based on a lens hierarchy and its leaf node. The leaf node is the bottom-level entity in a lens hierarchy. For example, if the Organization lens is used for data separation, the leaf node would be Department for the base system lens.
You can enable Data Separation on select Demand, Project, Resource Plan, and Cost Plan entities, as needed. Also, you can enable Data Separation on select Cost Plan Breakdown and Project Task related entities.
Data Separation applies even on child projects and sub-tasks based on the Data Separation that is configured for the parent project or task.
Data Separation key components
- Hierarchy: Defines the hierarchy for enabling Data Separation using a lens and its leaf node.
- Supported Entities: Enables Data Separation on select entities and related entities, as needed.
- Entity-Group Mapping: Defines entity-group mappings between a business area and user group.
Features
- Configure a data separation hierarchy using a lens hierarchy and its leaf node.
- Enable data separation on select entities and related entities, as needed.
- Create as many entity group mappings as required to restrict data to specified user groups.
- Grant access for the users who always need access to sensitive data by assigning the data separation privileged user (sn_ds.ds_privileged_user) role.
How Data Separation works
- A lens is selected for defining a hierarchy for Data Separation. The Data Separation admin can modify the hierarchy of the lens for data separation as needed.
- The required entities and related entities are enabled for Data Separation.
- An entity group mapping is created for each business group (where the business group could be a business unit, department, or company) that defines the set of users that the access is restricted to.
- The data of the business group is then restricted for the enabled entities only to the users that are part of the user group populated in the entity-group mapping record.
Examples data separation
- Example 1
- Consider a scenario where:
- The Data Separation hierarchy is defined using the Organization lens and the lens structure is Company, Business Unit, and Department (from top-to-bottom).
- The entity mapping is created for the HR department (Department : HR) with the group HR leads.
- Data Separation is enabled for the Demand and Project entities.
- Example 2
The Company XYZ has a data separation-enabled lens structure as shown in the following image and wants to restrict data to specific groups based on different use cases. Also, all the supported entities are enabled for Data Separation. The following use cases help you understand how Data Separation works and how to configure Data Separation for different use cases.
- Case 1: Restrict data of the Payroll department to the Payroll managers
You can restrict data for this case by configuring Data Separation as follows:
- Create a Payroll managers user group.
- Create an entity-group mapping for the Payroll department with the lens entity record (Department : Payroll) and the Payroll managers user group.
- Case 2: Restrict data of the HR business unit (both the Onboarding and L&D departments) to the HR leads
You can restrict data for this case by configuring Data Separation as follows:
- Create an HR leads user group.
- Create an entity-group mapping for the HR business unit with the lens entity record (Business Unit : HR) and the HR leads user group.
- Case 3: Restrict data of the entire organization to the Organization leads
You can restrict data for this case by configuring Data Separation as follows:
- Create an Organization leads user group.
- Create an entity-group mapping for the Company XYZ with the lens entity record (Company : XYZ) and the Organization leads user group.
- Case 1: Restrict data of the Payroll department to the Payroll managers