Frequently Asked Questions
Summarize
Summary of Frequently Asked Questions
This document addresses common questions regarding the Access Analyzer tool, specifically focusing on the Evaluate Access feature, Compare user records, and Compare user access functionalities. It aims to assist ServiceNow customers in understanding how to effectively utilize these features for managing access controls and user permissions.
Show less
Key Features
- Evaluate Access: Understand how to read evaluation results from Access Analyzer, including the significance of ACLs, their evaluation process, and legends indicating access status.
- Compare User Records: Learn how to view metadata for users, grant roles, and add users to groups. The "Show differences only" feature highlights discrepancies between two user records.
- Compare User Access: Access control comparison reveals evaluation states (Passed, Blocked) and allows users to identify what access is granted or denied. The Role Hierarchy page shows the roles needed for specific operations.
Key Outcomes
- By leveraging the Evaluate Access feature, customers can easily interpret access control lists and identify whether access is granted or denied.
- Customers can efficiently manage user roles and group memberships through the Compare user records section, facilitating streamlined access management.
- The Compare user access function enables a clear view of access permissions, helping customers ensure that users have the necessary roles for their operations.
Frequently asked questions while using Access Analyzer.
Evaluate Access
The following are frequently asked questions while using the Evaluate Access feature of Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the evaluation results displayed by the Access Analyzer? | Each row represents an individual access control list (ACL). The sequence (#) in the results represents the order in which ACLs are evaluated. Status shows whether overall access is granted (passed) or denied (blocked). |
| How are ACLs evaluated? | At a table level, ACLs are evaluated only for roles and security attributes. Conditions and scripts aren’t evaluated. Roles are evaluated first. If Roles are blocked, conditions and scripts are skipped. For more information, see Configure an ACL rule. |
| What are the legends in Access Analyzer? | When Analyzing the access and permissions, legends are displayed as part of the evaluation process. The following are the legends:
|
| What is the Alert icon in the Access results mean? | Alert Icon in any status indicates the presence of a script in the ACL. Review highlighted ACLs to understand the final access. To know more about how these controls are evaluated and review the logic used to determine the access, see Access Analyzer Debug logs. |
| What is IAccesshandler? | An internal system check using hidden source code on the platform. It’s a system security check that you can’t modify. IAccessHandler can grant or deny access to a resource without evaluating ACLs. If this IAccessHandler is ignored, then the ACLs are evaluated. For example, an IAccessHandler implementation is used for access checks on application resources such as read-only access. |
| What are data filters? | Data filters are a form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. |
| What is an ACL rule? | Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. |
Time limited role assignments found for the user may impact results. You can review the time-limited roles assigned for the user here.
Compare user records
The following are frequently asked questions while using the Compare user record feature in Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the results on the Details tab? | The Details tab displays the metadata associated with user 1 and user 2 |
| How to grant a role to a user? | From the Roles tab, you can check the role that must be granted for the user and assign that role. |
| How to add a user to a group? | From the Groups tab, you can check the group the user must be added and add the user to the group. |
| What is Show differences only? | When you enable the Show differences only check box, only the roles or groups that are different between the user 1 and user 2 are shown. |
Compare user access
The following are frequently asked questions while using the Compare user access feature in Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the results on the access control comparison page? | The access control comparison page displays the evaluation states for different ACL operations. |
| What are the different evaluation states? | Evaluation states include:
|
| What is Show differences only? | When you enable the Show differences only check box, only the operation evaluation states that are different between the user 1 and user 2 are shown. |
| How is the ACL operation evaluated? | Rules for access control lists (ACLs) restrict access to specific data by requiring users to pass a set of requirements before they can interact with it. Within an ACL, the following hierarchy is evaluated:
|
| How to read the results shown on the Role Hierarchy page? | The Role Hierarchy page displays roles that are assigned to user 1 and user 2. If a user needs access to a certain operation, you can determine the necessary role and group assignments. |
| How can I see the details of the user? | You can select the to know more about the user. |
| How can I see the details of the role? | You can select the to know more about the role. |
| How can I see the details of the resources the role can access? | You can select the to know the resources the role can access. |
| How can I see the details of the group? | You can select the to know more about the group. |