Nov 09

ServiceNow Security Tips

General Add comments
by:

securemanSecurity is always a topic of discussion during an implementation. guard

The specific requirements always differ per customer and are often – if not always – based on company policies and personal preference. ServiceNow offers a wide range of options to enhance data- and system access security on an environment. This blog focuses on some basic “good practice” approaches on creating and maintaining data security.

More information about overall security is outlined on the following WIKI-link: http://wiki.service-now.com/index.php?title=Security.

Your best friends in configuring data security are ACL rules.

How they work and how they should be used is very well described on the ServiceNow Wiki-pages.
You can find more information about the configuration of these ACL on http://wiki.service-now.com/index.php?title=Using_Access_Control_Rules.


Below I’ve included some “good practice” guidelines which should be considered when you think about basic security of a ServiceNow instance.

  • Make sure the version of the ServiceNow instance is as update-to-date as possible. ServiceNow are constantly introducing new ACL’s, properties and other opportunities to improve security on an instance.
  • Make sure that lower level master data is properly secured with ACL rules. Reference fields can give easy access to lower level master data and possibly allow a user to perform actions you normally would not allow them to perform (write or even delete :-().
  • Where possible, try to use ACL rules rather than Client Scripts/UI Policies to create read-only fields. Client Scripts and UI Policies are only evaluated on the form, where ACL’s also evaluate on lists. This way you prevent unwanted list-edits and nasty surprises.
  • Limit the amount of admin users in a production system.
  • Don’t assign the admin role to process users. The admin role increases the capabilities of a user within the system and could cause certain process and data evaluations to be skipped or behave differently.
  • Maintain a good user off-boarding procedure and lock out people that are no longer required to be in the system.

    • Certainly the last item on the list is often overlooked, but is as important as onboarding (priviliged) users.
    And if you are looking for assistance in securing your ServiceNow instance, don’t hesitate to reach out.

    You can contact me if you have any questions on frans.van.der.sar@2e2.nl.

    guard Be secure!

    Leave a Reply