Defining a complex role Security

General No Comments »
by:

Some of our customers require a complex role security for the setup in ServiceNow. This can mean that multiple tool roles are used and each of them has different abilities on the fields and buttons in the tool. Defining the requirements for a complex role security can be difficult. Not only for the customer but also for the developers who need to build it. This can be a complex process because of the amount of fields, buttons statuses and roles that might be required
To make life easier we use a “Security Matrix” document that helps defining the security setup. The matrix provides an overview of the fields and buttons that are present on an entity (i.e. an Incident record or change record) set against the roles and statuses that can be used. For each field/button the matrix indicates what each role in all different statuses is allowed to do within the system.
Continue reading…»

Are you using Financial Management?

General No Comments »
by:

During my adventures in ServiceNow I bumped into the Financial Management module. Normally we ITSM people take a big leap around it and we focus on process that are more familiar to use like change or incident management. In this blog article I want to show how ServiceNow is able to support some of the underlying processes of Financial Management for IT.
Continue reading…»

IT Portfolio Management: what has ServiceNow to offer?

General No Comments »
by:

I’m currently implementing a form of IT Portfolio Management for a customer. Unfortunately this is not done in ServiceNow but with another tool. As my previous experience with ServiceNow was very positive, I was curious how this tool would perform out-of-the-box (OOB) for IT Portfolio Management.

What is IT Portfolio Management?

There are a lot of definitions out there that describe IT Portfolio Management.
Gartner: Gartner defines portfolio management as a shift from the practice of using a single integrated application for the support of business requirements to using a collection of applications, technologies and services to create a system that addresses the unique requirements of an organization and leverages best-of-breed opportunities.
Wikipedia: IT portfolio management is the application of systematic management to large classes of items managed by enterprise Information Technology (IT) capabilities. Examples of IT portfolios would be planned initiatives, projects, and ongoing IT services (such as application support).
To me IT Portfolio Management deals with making sure investments in IT are supporting the needs of the business. This should be done by focusing on areas as planning, delivering and evaluating the IT Assets that are used by the business. IT assets typically are Services, Applications and Technologies.

What has ServiceNow to offer?

Searching the ServiceNow Wiki on portfolio management I encountered two areas dealing with portfolio management: Service Portfolio Management.

Project Portfolio Management

The Project Portfolio Management functionality provides the ability to create projects which can be linked to tasks and resources. When linking multiple tasks to a project it is useful to use a Gantt chart to understand the possible complexity of the project and dependencies between tasks. ServiceNow is able to provide this in a very user friendly way, including the possibility to drill-down to lower levers within the data.
Continue reading…»

Where the ServiceNow password generator can make life easier

General No Comments »
by:

Providing passwords to existing or new users can be time consuming.  If you need to provide a new password to one user you have to manually update the user record with a new password and add this password to a separate email which will be send to the end-user.  When you have to update multiple users with new passwords this will take even more time.

By reusing the password generator time can be saved by automating some of the actions mentioned above.

Password generator

The password generator is part of the “Self Service Password Reset” plugin and can be used by the end-user to request a password reset that is automatically handled by the system. When this request is made by the user the generator creates a password based on an algorithm after which it is send to the end-user by email.

There can be numerous ways to trigger this password generator. In this blog I will focus on one of them.

On the user record (sys_user table) the field “Password needs reset:” can be used as a trigger to generate a new password and to send out an email to the user with this new password. When the mentioned field is used as a trigger the user is also requested to adjust this generated password to a new one when logs in with this password.

New implementations and user maintenance

When a new implementation is planned that will be used by a large amount of new users you can use the password generator to lower the amount of work for the support team. By mass-updating the field “Password needs reset:” on the new user records, emails with the new passwords are automatically send by the system. This replaces the manual updating of the password field on all user records and also the sending of the emails with the credentials to all new users.

Some customers do not allow the use of the “Forgot your login credentials?” because of misuse and related security issues.
This means that existing end-users will have to contact the support desk to reset a password. To lower the amount of work that comes with these requests the support team can use the password generator. For each request they can use the “Password needs reset:” field in combination with the provided script to prevent the manual update of the password field on the user records with a new password. Also no separate email will have to be created by the support team member with the new credentials.

Passwords and compliancy

Passwords are from a compliancy perspective not that exiting to audit. Most tools deal with password rules that can be enforced to meet a specific set of characters that can be easily checked. In ServiceNow you can enable this by activating the ValidatePassword and ValidatePasswordStronger scripts.
These are by default inactive and can be found under System Definitions > Installation Exits.

More interesting is the process around the providing of these passwords. Often users are provided with a default password that an Application Administrator creates for them. This is something like WELKOM123, WELKOM with the date behind it or another simple password.  These passwords are very risky because they are highly guessable. Also the Application Administrator knows the password that he has provided to the end user. If he wants he could harm the organization by logging in with the user’s credentials and execute unauthorized actions under the name of the user.

By using the password generator to provide passwords to new and existing users the above situation will not occur anymore. An auditor will also be very pleased whit this approach regarding the provisioning of passwords.

Script

The business rule script that can be used to trigger the password generator by the field “Password needs reset:” field is the following:

Condition:

current.password_needs_reset.changes(true)

Script:

[cc lang=”javascript”]
var pnr = new PasswordResetAJAX();
var currentuser = current.user_name
var useremail = current.email

pnr._resetPassword(currentuser, useremail);
[/cc]
If needed the default password reset notification that is send by the password generator can be adjusted so that it also reflects password creations that have not been triggered by the end user with the “Forgot your login credentials?” . This can be done under System Policy > Notifications

If you have any questions you can contact me on olivier.cramer@2e2.nl

FDA and ServiceNow

General No Comments »
by:

Currently I’m working as Quality and Test coordinator on a Service-now.com (SNC) project for a pharmaceutical company. This company has to comply with specific rules for companies that produce pharmaceutical products.

In this blog I would like to give an overview of some of the rules required for IT systems by governmental institutes such as the FDA.

I will indicate how SNC can help complying with these rules.
Continue reading…»