Unexpected behavior using ServiceNow Domain functionality

General Add comments
by:

We have a client that stretches the possibilities of the ServiceNow domain separation to the max.
In this article I would like to share an example of something that didn’t go as expected….

The domain structure:

 

 

 

 

 

 

 

 


 

The form

The client works with incident_tasks, which can be assigned to various solution groups.
Some of the solution groups operate in a different domain than the incident (parent). Incidents will be created by “Customer A”. The incident task will be executed by a solution group in India. Because the data in the incident ticket has a high security level, the client used domain separation to prevent the solution group from seeing the data on the parent incident. With this solution the customer could see all the data in the tickets of the solution group, and the solution group only the data they need to solve the incident_task.

On the incident_task form some fields are visualized from the (parent) incident. “Customer A” would see the ticket like this (not blurred of course):

 

The solution group member in the India domain would see the same tickets like this:

Notice that the fields of the incident (dark grey) are empty. The current user has no rights to see the information from the incident.

The Unexpected…

Some of the users in the India domain received incident write rights for other duties. Suddenly the form looked a bit different:

Notice the field incident.company is now writeable. Because the current user is unable to see the information on the (parent) incident form but has the ability to change incidents the field is changed. When the incident task is now saved the parent incident is changed by a user from a different domain, which should have no access to the ticket.

In this case the ticket ended up in the global domain and was visible for all other clients in the system.

You can prevent this from happening by configuring proper Access Controls and – as usual – spend some time on proper testing.

Please contact me if you would like to know more about this issue on stefan.bohncke@2e2.nl

Leave a Reply