Permission Mirroring - Update Set Modules
Permission Mirroring - Update Set Modules
To further enhance your Moveworks experience, Moveworks provides plugins that are installed through Update Sets for advanced ServiceNow functionality
Permission Mirroring - Update Set Modules
Moveworks Update Set Modules were designed to be modular and bite-sized. Rather than shipping one giant update set, we chose to ship our updates as “Modules.” There are a couple of key benefits to this approach.
To install a Module, you can follow the three steps below, or watch this video.
To update a Module, you will follow the same steps as above. There may be some merge conflicts when installing. If you’re having trouble resolving these, reach out to Moveworks Support for assistance.
In general, it is safer to accept the remote update and then ask Moveworks to run any configuration scripts for that module.
base)Provides Core Functionality to Support Our Modules
The moveworks_user role must be granted to our service account for our Update Set Modules to function properly. It also is how we restrict access to custom APIs and Tables.
System Properties help our GlideScripts access the right constants (values) for your instance. For example, we might need to look up our bot’s sys_id, or change an email color to match your corporate theme. We also keep these for internal reporting and validation. Since, in this case, Moveworks’ code lives in an external system, our engineers need visibility into versioning, as well as the ability to validate expected results/contracts when our services start up. These attributes are exposed over the /version endpoint and we maintain them for audit purposes.
moveworks.base.version - identifies the version of this Update Set Module.moveworks.base.api.sys_id - identifies the sys_id of the Scripted REST API that we install in order to interact with your system.The Scripted Rest API handles authentication for our custom endpoints to make sure only our user has the ability to send requests to that endpoint. It also serves as the parent for all endpoints in future modules.
We have one Scripted REST Resource that ships with the base module.
GET moveworks/base/version - this endpoint lets our CS team know what version you have for each Update Set Module.
Example Request
Example Response
We ship a MoveworksBaseUtils sys_script_include with our base module to serve as system property accessors and improve our ability to work with GlideRecords.
To prevent unauthorized access to the Scripted REST API, we have created an ACL (type = execute) and associated it with the moveworks_user role.
acl)Respect User Criteria & Roles When Serving Content In-Bot
moveworks.acl.version - identifies the version of this Update Set Module. Maintained for the same reasons as in the base module.moveworks.acl.check_legacy_entitlements - determines if we evaluate User Entitlements to determine access to forms. We need this flag to minimize the performance cost of running our script based on your instance’s configuration. When disabled, it reduces the number of GlideRecord lookups by roughly 8 lookups per record.GET moveworks/acl/get_access_info - this is our production endpoint which returns information like User Criteria sys_ids so that we can support ServiceNow’s permission rules on our servers.
Example Request
Example Response
PUT moveworks/acl/config - this endpoint configures our Update Set Module to ignore/evaluate User Entitlements by updating the system property moveworks.acl.check_legacy_entitlements to True or False accordingly. Whether this is set to True or False depends on the ServiceNow instance’s usage/configuration details.
Example Request
Example Response
We extract sys_ids wherever possible to protect the anonymity of user & resource constraints. These raw materials enable us to be accurate without sacrificing confidentiality. Moveworks considers all of the following for any modern ServiceNow implementation.
If your system is equipped with legacy User Entitlements, Moveworks will also ingest the following information.
We leverage ServiceNow’s Security ACLs to restrict usage of this endpoint to users with either the admin role or the moveworks_user role.
You can review changes under “My Company Applications” (search for “moveworks.”). We’ll also share some documentation on the contents of each of our modules.
If you ever need to revert changes you can do so easily with the click of a button. Simply find the update set under “Retrieved Update Sets” and select “Back Out”.
Yes, the Moveworks Update Set does support ingestion of HR User Criteria such that it can be enforced in the bot, just like IT User Criteria. However, if you are leveraging the Human Resources: Core application to build out your HR knowledge in your ServiceNow instance, you will likely need to additionally install the HR_ACL_Patch update set due to a limit in cross-scope privileges on the Moveworks Platform Permissions REST API. Please reach out to Moveworks support for more information on this.