A very convenient feature of the reporting system in ServiceNow is the capability to publish reports from a ServiceNow instance which can be accessible to anyone whether that individual has an account on the instance or not. When the reports are no longer needed this report can then be unpublished. However, with this capability, questions naturally arise as to, once a report is published, who this report and it's data is accessible to. This article will strive to answer some of these questions to provide a better understanding as to what publishing a report actually means.
Publishing a report from within the system will cause this report to be publicly accessible and will generate a unique URL for this report from which any individual who has access to the Public Internet can access. Thus, any individual who accesses this URL from the public Internet will be able to view this published report. No account on the source instance from which the report was published is required and the individual accessing the URL will not be prompted for credentials of any kind.
Thus, while publishing a report can be a powerful tool to allow this data to easily be shared with any user who has access to the Public Internet, care must also be taken to ensure that no data that should not necessarily be publicly accessible be found on such a report.
With this in mind, there are a few stipulations on what data might be displayed on a published report:
Any Business Rules that are configured on the data for which a report will need to access, will be run on that data before the report is rendered for the viewer. This is most commonly found on a "query" type Business Rule associated to the table from which the report obtains it's data. Thus, if the report is not showing the expected results to anonymous users, any query Business Rules on the source table should be checked to ensure that those Business Rules are not filtering that data based on various criteria that might be specified in that Business Rule.
Although viewable, the published report cannot be edited or modified from the public URL link. Thus, to edit the report, or any data found in the report, the individual would need to be logged into the ServiceNow instance and have the proper permissions as for editing any other report found on that instance and would need to access the actual report record in edit mode.
In a List type report (a report showing a list of individual or grouped records), the user must still have the necessary permissions to view that individual record or it will not appear in the list generated by the report. Thus, for a completely anonymous user who is not logged into the instance, the records would need to be viewable by the "public" role in order to appear in the report for that user.
The URL which is normally generated for the report is unique to that report and contains a suffix of the sys_id of the report. This URL will appear similar to the following:
In which <Instance_Name> is the name of the instance from which the report was published and <SYS_ID> is the unique System Identifier of that report record on that instance. The probability of someone randomly accessing this URL is thus infinitesimally small, however, this can, in in no way, provide any actual security for preventing access to the report.
Once a report is unpublished this URL will no longer allow valid access to this report, neither for those logged in or not. Attempting to access the published URL will generate a message indicating that the report is not available.
If a non-logged in user attempts to click into a drill-down in a graphical report which opens a non-published report (or a list of individual records from that table), the user will be prompted to log into the instance with a valid user name and password.
Another issue that may sometimes be encountered is that a published report may, instead of displaying the graph as expected, may instead redirect the individual to a login page. This may be due, as indicated above due to non-published objects on the page, or may also be due to the fact that the sys_public record usually associated to the published report display page has been removed from the instance or has been set such that it is no longer active.
To correct this particular issue, an active record must be found in the sys_public table corresponding to the sys_report_display page. If this record is not found, this record should be re-added to the instance. Or, if the record is found there but currently set to inactive, the Active checkbox should be checked and the record saved.
The following KB Article describes how to Publish or Unpublish a report from an instance using the Report Builder interface:
The following article describes how to How to Publish and Unpublish a report on an instance using the Report Designer interface:
More in-depth article describing some of the common causes of incomplete reports in a ServiceNow published report: