When implementing ServiceNow for ITBM solutions we are often confronted with the open nature of the authorization model. The OOB ITBM authorization is role based. This means what the user can view/edit is dependent on the user’s role. Many times, clients wish to enhance the authorization to make it more object property based – for example a user should be able to edit the project only when the user is either the project manager of the project or the program manager of project’s program.
Does ServiceNow support such details authorization model? It does! But a lot of time and effort is spent changing or creating new ACLs which start simple but become more complex as new and complex requirements pop up. The number of ACLs for any given implementation will grow and experience says that keeping track and maintaining on who is authorized on which object becomes a humongous task.
Making Authorization Simple – the Odysseus way
To keep things simple and manageable (we like things which are simple) Odysseus has developed an alternative method for managing access to objects in ServiceNow. It provides an easy way to maintain the authorization model by decoupling the logic from the ACLs. Comprehensive conditions can be built in authorization configuration records, taking away the need to write and maintain scripts for ACLs. This approach not only reduces the ACL complexity but also greatly reduces the number of ACLs.
When the user is tries to access data in ServiceNow, the system receives a create/read/update/delete (CRUD) request for that user, the ACLs will use the conditions in the Odysseus Authorization Configuration to determine if the request is allowed or denied.
So here is how it works behind the scene
For each object only a few, typically 4, ACLs need to be configured. These ACLs are all simple, calling a specially developed script which checks the authorization in (custom) authorization configuration table.
The script is simple, and doesn’t need any scripting knowledge.
The script calls a function dependent on the
- the current record
- the current user and
- type of access
This function returns true if the user has the specified type of access to the current record and false otherwise. The function uses a custom table Authorization Configuration.
Authorization Configuration Table
This table will hold the configuration of the access rules. Entries in this table define
- Which table is the condition for?
- Which role is the condition limited to?
- Which set of condition(s) should be met?
- What action(s) is allowed when the conditions are met?
This rather complicated phrase calls for an example!
In the example above, Update access (1) is granted to users with role it_project_manager (2) on records in Project table (3) for which the user is listed as project manager (4).
Additional access can be arranged by either adding extra configuration rules in the table or by enhancing the conditions in the existing configuration.
Taking this a step ahead - Access through hierarchical relationships
One of the big benefits of applying this method is when authorization has to be set up on related or hierarchical data.
A typical example which we come across is when write access has been set up for a project and similar access is necessary on related items such as a cost plan. Instead of setting up the same configuration rules for cost plan as already configured for projects, it is also possible to refer to the existing rules for a project. The ACL on cost plan needs to be call the same script but now dependent on
- type of access
- the current user and
- the task of current record
Access to a related item (cost plan) is in this case verified against the access the user has on the related record (task) for that item. No additional configuration rules are necessary, making maintenance much easier.
Odysseus has developed a solution to simplify the burden of setting up data access in ServiceNow. By using a simple set of ACLs and the custom Odysseus Authorization Configuration table, access to your data is easily configurable, maintainable and extendable.