The method of configuring security on Breakdown Element Sources within the Performance Analytics module in ServiceNow is a bit different than similar configurations in most of the other modules in the system. Thus, this article will describe and demonstrate the method of specifying and configuring security and control the access for a Breakdown Element Source in ServiceNow.
Before showing the specific steps in securing a specific Breakdown Element Source, the security model used for these objects should be understood.
The security specified for the Breakdown Element Source can be configured to be one of two specific types (essentially inclusive and exclusive). The method used as well as the role and element restrictions configured for the Breakdown Element Source can be different for each Breakdown Element Source on the instance. The following are the types of configuration the can be configured on the instance:
- BlackList - This setting allows all users EXCEPT those explicitly specified in the record.
- WhiteList - Limits access to the data to those explicitly listed in the record.
Once the list type is determined, the specific security restrictions and limitations for that Source can be specified using various fields and related records on the Security Element List:
- Manually Selected Roles - Each specific role is selected and added to the list. Depending on whether BlackList or WhiteList is selected, the roles listed will either be allowed access or denied access to the data from the Breakdown Source.
- Elements selected by filter - A specific filter is provided and any element that fulfills the given criteria will be have the role security applied. This can be either a static filter (using specific conditions already known at runtime) or this can be a dynamic filter which will be conditions that may not be known at the time of the run.
- Element List - An Element List is a specific list of the elements from the Breakdown that should have the specified access limitations applied. Thus, a filter can be created to restrict certain data elements from the Breakdown Source to be accessible while others are not.
In the section below, instructions to configure the element list types as well as the specific role selection will be detailed as well as examples showing these configurations.
To begin configuring the security for a specific Breakdown Element Source, log in to the instance with an account having admin or pa_admin rights to the instance.
Once logged into the instance, browse to the following location on the instance: Performance Analytics -> Sources -> Breakdown Sources.
Under the list of Breakdown Sources that appears, select the name of the Breakdown Source for which you want to modify the security settings by clicking on the Information icon for that record.
Click the Security tab on the Breakdown Source record that opens.
In the Security type field, select from the pulldown field the type of security list you want to use for the record. Remember that with a type of WhiteList users who are included in the security list will have access to the Breakdown Source data and with a type of BlackList users who are on the security list will be prohibited from accessing the Breakdown Source data.
Note that the default Security type setting for a new Breakdown Source record is BlackList, with no rows found in the Elements Security List. This configuration will apply no restrictions on the data source.
Right click on the record header and select the Save option to save the Security type for this record.
After selecting the Security type, scroll to the related lists and select the related list with the name Elements Security List. A list will appear showing any previously created Security Lists for this record. By default this should be empty.
To create a new Security List record, click the New button. A form to create a new Element Security List will appear. Many of the fields are pre-populated based on the Breakdown Source from which it was created.
In the Name field of the record provide the name for this Security Element List. This name is how the security list will be identified and show in lists.
An optional Description can also be provided for the security list.
After this the specific roles which should be allowed (or disallowed) access to the Breakdown Source data should be specified. If the All Roles checkbox is selected, a user with any role will be able to view the data. However, if the data should be limited to certain users in certain roles, the following steps should be completed on the record:
Manually Selecting Roles
To manually select the specific Roles in the system who can have access to this record, click the All Roles checkbox (which is selected by default on new records) to unselect it. This will then allow specification of the roles from the system which will be part of the security list.
Click the Unlock Roles icon directly under the All Roles checkbox.
A Roles selector will then appear. Use the Selector to locate and populate the records with all the roles that should be part of this Security List.
When satisfied with the list of roles selected, click the Lock Roles icon.
After specifying the roles that should be part of this security list, right click on the header of the record and click the Save option in the pop-up menu that appears.
After configuring the list of Roles (or All Roles) that can access the Breakdown Source data, the specific elements of that Breakdown Source for which this security model should be applied is configured. This can be done using two methods:
To specify a filter for the Security List, scroll to the elements section of the record. Ensure the Select Elements section is unchecked.
A Condition Builder section should appear. This condition builder will the administrator to specify conditions based on the facts table of the associated Breakdown Source.
Using the condition builder, specify the conditionals that should be used to determine if the data from this Breakdown Source should be accessible.
In most cases the conditions specified will be static conditions in which the values are already known by the system. However, Note that the Conditional can also contain a dynamic condition or even a custom or system function call.
After creating the full list of conditions that will determine access to the data from the Breakdown Source, right click on the record header and select the Save option from the pop-up menu that appears.
A Breakdown Source can also be limited based on specific elements from the Breakdown Source. To configure this type of restrictions, use these steps:
Scroll to the related list titled Elements List that is associated with this Elements Security List.
Click the New button that appears with this related list.
A new Elements List record form will appear.
Click the Search icon to the right of the Element field on this new record form.
Select the Element for which this record to apply to from the list by clicking it's label. The Security Elements List record should reappear.
Click the Submit button for the Elements List record.
Repeat for each Element from the Breakdown Source for which this restriction should apply.
Click the back button to return to the parent Breakdown Source record.
Note that before the Element List related list will appear, the Element Security List must have been saved at least once.
Note that in many cases a combination of all these settings are used to allow a high level of customization to the specific roles which can access the data and the specific elements of that data that can be accessed by those roles.