Configuring access control

  • Release version: Australia
  • Updated November 27, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring access control

    This guide explains how to configure entity-based access (EBA) control in Privacy Management on the ServiceNow platform. EBA enables organizations to restrict user access to processing activity records and related data according to their position within the organizational hierarchy. This ensures privacy teams and users only access records relevant to their assigned entities, enhancing security and regulatory compliance.

    Show full answer Show less

    Key Features

    • Entity-based Access Activation: Install the Entity-based Access plugin and enable the entity-based access control property to activate access restrictions by legal entity.
    • Organizational Hierarchy Setup: Define parent-child relationships between entities, such as global, regional, and country-level entities, to establish a clear organizational structure.
    • Record Mapping: Map existing processing activity records to the appropriate entities in the hierarchy to ensure accurate enforcement of access restrictions.
    • Entity Configuration: Assign access rights to users or groups based on their organizational role, specifying whether access applies only to the assigned entity or also its downstream entities.
    • Bulk Access Updates: Use the entity-based record access update utility to switch existing records from role-based to entity-based access in bulk, selecting target entities and tables, previewing affected records, and scheduling the update job.
    • Continuous Access Enforcement: Configure entity-based record access rules that automatically apply and update access restrictions on new or modified records, maintaining compliance as organizational structures or processing activities change.

    Practical Application for ServiceNow Customers

    ServiceNow administrators can leverage this configuration process to ensure that privacy-related records are only accessible to authorized users within their specific organizational units. By implementing EBA, customers can:

    • Secure sensitive privacy data according to organizational boundaries.
    • Maintain compliance with regulatory requirements through controlled data access.
    • Reduce manual overhead by automating access updates via bulk utilities and continuous monitoring rules.
    • Adapt access controls dynamically as organizational hierarchies evolve.

    Following these steps enables efficient, scalable management of privacy data access aligned with organizational structures.

    Configurie Entity-based access control in Privacy Management, including property activation, hierarchy setup, record mapping, user assignment, bulk updates, and activating entity-based record access rules.

    The following steps outline how to configure access control in Privacy Management using Entity-based access (EBA). This process enables organizations to restrict user access to processing activity records and related data according to their position in the organizational hierarchy. By following these steps, administrators can ensure that privacy teams and users only access records relevant to their assigned entities, supporting both security and regulatory compliance.

    1. Install Entity-based access plugin and enable the entity-based access control property. This activates entity-based access features and allows you to configure access restrictions by legal entity.

      For information, see Configure Entity-based access.

    2. Establish the organizational structure (parent-child relationships), where a global entity contains regional entities, and those in turn contain country-level entities.

      For information, see Add hierarchical relationships between entities.

    3. If processing activities already exist, map each record to the appropriate entity in the organizational hierarchy, ensuring it is correctly linked as a downstream entity under the relevant legal entity, jurisdiction, or other defined structure. This guarantees that access restrictions are enforced accurately, as each record is tied to the correct part of the organization.
    4. In the Entity Configuration module, do the following:
      • Provide access to teams and users based on your organizational structure. You can grant access to individual users, such as entity owners or privacy analysts, or to groups.
      • Specify whether access applies only to the selected entity or also to downstream entities. This step ensures that only the appropriate teams or users can access records for their part of the organization.

      For information, see Create an entity configuration.

    5. Run a bulk access update to switch from role-based access to entity-based access for all applicable records. Bulk Access Update enforces entity-based access restrictions across relevant records in Privacy Management.
      When performing a bulk update:
      • Select the entity configuration and associated entities.
      • Choose the tables where restrictions apply (for example, Processing Activity or Privacy Assessment).
      • Preview the affected records to validate changes.
      • Enable the update to apply restrictions.
      The system queues a scheduled job that processes the update and applies the new access rules to all selected records.

      For information on how to run batch updates, see Set access restrictions using an entity based record access update utility.

    6. Use entity-based record access rules to enable continuous monitoring. These rules automatically apply restrictions to new or modified records, ensuring access settings stay enforced without manual updates. When the structure of the entities change, the system updates access controls automatically.

      For information on how to configure entity-based record access rules, see Set Entity based record access rules.