Home
IT Hub
Advanced User Access Permission Settings in ServiceNow

Advanced User Access Permission Settings in ServiceNow

ServiceNow
Reco Security Experts
Updated
August 12, 2024
August 12, 2024

Tailoring User Access with Advanced Permission Settings in ServiceNow

In the current business environment, managing access to IT service management platforms is essential. ServiceNow provides advanced features for users to set up and maintain permissions. Tailoring user access using advanced permission settings not only improves security but also guarantees that people have the required level of access to fulfill their responsibilities successfully. This article looks into the complexities of configuring user permissions in ServiceNow, highlighting best practices and advanced techniques.

Understanding ServiceNow User Permissions

ServiceNow manages user rights with a role-based access control (RBAC) mechanism. In this model, permissions are assigned to roles, which are then provided to people. This method simplifies maintenance and gives control over who may access what on the platform.

1. Roles: Roles in ServiceNow are sets of permissions that specify what things users can do. For example, the 'admin' role has extensive permissions, while a 'read-only' role may only permit users to view records without making changes. Here are the steps to create Roles:

Step 1: Accessing Role Table:

A screenshot showing the roles section in ServiceNow, displaying various user roles and their associated permissions.

Step 2: Create new Roles:

In the Roles table, click on the "New" button, and create roles for each type of user in your ServiceNow instance.

A screenshot displaying the roles section within the users and groups menu in ServiceNow.

A screenshot displaying an empty roles form in ServiceNow.

2. Groups: Users can be categorized based on departments, projects, or other criteria. Assigning roles to groups rather than individual users might help to accelerate the permissions process. Here are the steps to create groups:

Step 1: Create new Groups:

Navigate to the "System Security" section, then inside "Users and Groups," select "Groups."

A screenshot displaying the groups section within the users and groups menu in ServiceNow. 

In the Groups table, click on the "New" button and create groups for each type of role in your ServiceNow instance.

A screenshot displaying the groups list in ServiceNow, highlighting the various user groups that have been created for managing access and permissions within the platform.

Don’t submit the record; right-click on the form header and click on "Save."

A screenshot displaying the Group form in ServiceNow illustrates the interface for creating and managing user groups.

Click on the "Edit" button.

A screenshot displaying the group form in ServiceNow, including related lists and fields for configuring group details and roles.

Add the Role that you created before and match it with the Group.

A screenshot displaying the process of adding roles to groups in ServiceNow, highlighting the interface and steps involved.

Step 2: Add users to Groups:

You can assign a role to a group to grant access to applications and modules to group members. When you assign roles to groups rather than to individual users, group members inherit the role.

3. Permissions: These include reading, writing, creating, deleting, and executing permissions for various modules and records within ServiceNow, such as ACLs.

Configuring Advanced Permission Settings

ServiceNow's advanced permission settings allow users to customize access controls according to specific business needs. Here are important tips for effectively applying these settings:

  • Custom Roles:
    • Define Custom Roles: You can create custom roles related to specific job functions or projects. This ensures users have exactly the permissions they need.
    • Role Hierarchies: Establish role hierarchies to manage permissions efficiently. Higher-level roles can inherit permissions from lower-level ones, simplifying the assignment process.
  • ACLs (Access Control Lists):
    • Record-Level Access: Use ACLs to control access at the record level. This means you can specify which records a user can view or modify based on criteria such as ownership, department, or application.
    • Field-Level Security: ACLs can also restrict access to specific fields within a record. For example, a user might have permission to view a record but not see sensitive fields like salary information.
  • Contextual Security:
    • Dynamic Conditions: Implement dynamic conditions to adjust permissions based on the context. For instance, you can grant temporary access to a user for the duration of a project or based on the status of a ticket.
    • Scripted Security: Use scripts to define complex security rules that are not possible with out-of-the-box configurations. Scripted security can evaluate multiple factors and conditions to determine access rights.
      • The server-side GlideSystem (gs) API has these methods:
        • getUser()
        • getUserID()
        • getUserName()
        • hasRole()
        • isLoggedIn()
        • isInteractive()
        • getSession()
      • The server-side GlideElement API has methods to check whether a user's role allows them to access the associated GlideRecord(s):
        • canCreate()
        • canRead()
        • canWrite()

The server-side methods can be used in any server-side script, such as Business Rules or Script Includes. Server-side scripted security is more secure than client-side scripted security. Any user with access to scripting fields can see the scripts and what the security checks are.

  • The client-side GlideUser (g_user) API has these methods:
    • hasRole()
    • hasRoleExactly()
    • hasRoleFromList()
    • hasRoles()

The client-side API methods can be used in any client-side script, such as Client Scripts and UI Policy scripts. Client-side security is the easiest security to break. Do not depend on client-side scripts to secure sensitive data.

  • Delegated Administration:
    • Scoped Delegation: Delegate administrative tasks to specific users or groups without giving them full administrative rights.
    • Delegated Development: Enable developers to work within a scoped application with permissions confined to their development environment, ensuring that they cannot impact the global or other application scope.

  • Audit and Compliance:
    • Audit Trails: Maintain detailed audit trails of permission changes and user activity. This is crucial for compliance with regulatory requirements and internal policies.
    • Periodic Reviews: Conduct regular reviews of user roles and permissions to ensure they align with current business needs and security policies.

Best Practices for Managing Permissions

  1. Principle of Least Privilege: Always follow the principle of least privilege, giving users only the necessary access to complete their tasks. This reduces the possibility of the system being abused accidentally or intentionally.
  2. Regular Audits and Reviews: Regularly audit user permissions and roles to identify and modify any unnecessary access rights. This proactive approach helps in maintaining a secure and efficient ServiceNow instance.
  3. Documentation and Training: Document all custom roles, ACLs, and advanced permission settings. Provide training to administrators and users to ensure they understand the importance of access controls and how to manage them effectively.
  4. Automate Role Assignment: Where possible, assign roles based on user attributes like department, location, or job title. This reduces administrative costs and ensures uniformity.

Segregation of Duties: Implement segregation of duties to prevent conflicts of interest. For example, users who approve changes should not be the same individuals who implement those changes.

Conclusion

Advanced permission settings in ServiceNow provide a powerful tool to personalize user access while combining security with efficiency. Custom roles, ACLs, contextual security, and delegated administration can be utilized to build a tailored access control environment that meets the specific requirements of a business. Regular audits, adherence to best practices, and ongoing training are all required to maintain a strong and secure ITSM system.

Google Workspace 2-Step Verification: Set-Up & How to Manage
GitHub Security Checklist: 9 Must-Follow Best Practices
Did you know that over 83% of organizations experienced at least one successful application exploit in the last 12 months? This statistic from a recent cybersecurity report highlights the critical importance of securing our code repositories and development workflows.
Manage API Access with Conditional Access in Microsoft Entra
In the rapidly evolving landscape of digital business operations, Application Programming Interfaces (APIs) serve as the backbone for data exchange and service integration.
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
Google Workspace 2-Step Verification: Set-Up & How to Manage
GitHub Security Checklist: 9 Must-Follow Best Practices
Did you know that over 83% of organizations experienced at least one successful application exploit in the last 12 months? This statistic from a recent cybersecurity report highlights the critical importance of securing our code repositories and development workflows.
Manage API Access with Conditional Access in Microsoft Entra
In the rapidly evolving landscape of digital business operations, Application Programming Interfaces (APIs) serve as the backbone for data exchange and service integration.
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo