Frequently Asked Questions
Summarize
Summary of Frequently Asked Questions: Access Analyzer (Zurich Release)
This FAQ document provides detailed explanations on using the Access Analyzer features in ServiceNow's Zurich release, focusing on evaluating access permissions, comparing user records, and understanding access control behaviors. It helps administrators and security professionals effectively interpret access results, manage roles and groups, and troubleshoot access control issues.
Show less
Evaluate Access
- Reading Evaluation Results: Each row in the results corresponds to an individual ACL evaluated in sequence. The status indicates whether access is granted (passed) or denied (blocked).
- ACL Evaluation Process: At the table level, ACLs evaluate roles and security attributes first; conditions and scripts are evaluated only if roles pass. If roles are blocked, subsequent checks are skipped.
- Legends Explanation: Results include statuses such as [Passed] (access granted), [Blocked] (access denied), [Skipped] (not evaluated), and [Undefined] (no matching rule).
- Alert Icon: Indicates presence of a script in an ACL, signaling the need to review associated logic for access decisions.
- IAccessHandler: An immutable internal system security check that can grant or deny access independently of ACLs. It cannot be modified by users and applies to certain resource types like read-only application access.
- Data Filters: Supplemental access controls that work alongside ACLs to restrict data access.
- ACL Rules: Define conditions users must meet to access data, including role requirements and additional criteria.
- Time-Limited Roles: Role assignments with time constraints can affect access evaluation; administrators can review these assignments to understand impact.
Compare User Records
- Details Tab: Shows metadata for two users being compared to understand differences.
- Granting Roles: Roles identified as missing can be assigned directly from the Users tab for a user.
- Adding Users to Groups: Groups that users should belong to can be managed from the Groups tab.
- Show Differences Only: Filters displayed roles or groups to only those differing between the two users, simplifying comparison.
Compare User Access
- Access Control Comparison Page: Displays evaluation states for various ACL operations to compare user permissions.
- Evaluation States: Includes Passed (access granted) or Blocked (access denied) states for ACL operations.
- Show Differences Only: When enabled, shows only ACL operations where users differ in access evaluation.
- ACL Operation Evaluation Hierarchy: Access checks follow this order: Role, Security Attribute, Condition, then Script.
- Role Hierarchy View: Displays roles assigned to users and roles required for specific ACL operations.
- Viewing Details: User, role, and group details can be accessed via node selections and "More actions" options to gain deeper insights into permissions and resource access.
Frequently asked questions while using the Access analyzer.
Evaluate Access
The following are some of the frequently asked questions while using the Evaluate Access feature in the Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the evaluation results displayed by the Access Analyzer? | Each row represents an individual access control list (ACL). The sequence (#) in the results the order in which ACLs are evaluated. The status shows whether overall access is granted (passed) or denied (blocked). |
| How are ACLs Evaluated? | At a table level, ACLs are evaluated only for roles and security attributes, conditions and scripts aren’t evaluated. Roles are evaluated first. If Roles are blocked, conditions and scripts are skipped. For more information, see Configure an ACL rule. |
| What are the legends in Access Analyzer? | When Analyzing the access and permissions, legends are displayed as part of the evaluation process. The following are the legends:
|
| What is the Alert icon in the Access results mean? | Alert Icon in any status indicates the presence of a script in the ACL. Review highlighted ACLs to understand the final access. To know more about how these controls are evaluated and review the logic to determine the access, see Access Analyzer Debug logs. |
| What is IAccesshandler? | An internal system check using hidden source code on the platform. It’s a system security check that you can’t modify. IAccessHandler can grant or deny access to a resource without evaluating ACLs. If this IAccessHandler is ignored, then the ACLs are evaluated. You can’t modify the IAccessHandler checks in any way. For example, an IAccessHandler implementation is used for access checks on application resources such as read-only access. |
| What are data filters? | Data filters are a form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. |
| What is an ACL rule? | Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. |
Time limited role assignments found for the user due to which the results may be impacted. You can review the time-limited roles assigned for the user here.
Compare user records
The following are some of the frequently asked questions while using the Compare user record feature in the Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the results on the Details tab? | The Details tab displays the metadata associated to the user 1 and user 2 |
| How to grant a role to a user? | From the Users tab, you can check the role that must be granted for the user and assign that role. |
| How to add a user to a group? | From the Groups tab, you can check the group the user must be added and add the user to the group. |
| What is Show difference only? | When you enable the Show differences only check box, only the roles or group that are different between the user 1 and user 2 is displayed. |
Compare user access
The following are some of the frequently asked questions while using the Compare user access feature in the Access Analyzer:
| Questions | Explanation |
|---|---|
| How to read the results on the access control comparison page? | The access control comparison page displays the evaluation states for different ACL operations. |
| What are the different evaluation states? | When comparing access controls between the users, following are the different evaluation states:
|
| What is show differences only? | When you enable the Show differences only check-box, only the operation evaluation state that are different between the user 1 and user 2 is displayed. |
| How the ACL operation is evaluated? | Access control list (ACL) is the rule for access control lists (ACLs) that restrict access to data by requiring users to pass a set of requirements before they can interact with it. Within an ACL, the following hierarchy is evaluated:
|
| How to read the results on the showing role hierarchy page? | The showing role hierarchy page displays the role that is assigned for user 1 and user 2. You can understand the role that is required for the user for a particular ACL operation. |
| How can I see the details of the user? | You can select the details to know more about the user. |
| How can I see the details of the role? | You can select the details to know more about the role. |
| How can I see the details of the resources the role can access? | You can select the to know the resources the role can access. |
| How can I see the details of the group? | You can select the details to know more about the group. |