Access Control - Platform Permissions (ServiceNow User Criteria)

Overview

If you already have access control rules inside ServiceNow, Moveworks can ingest those permissions to natively support your access control rules for Forms & Knowledge. With Platform Permissions, Moveworks integrates directly with ServiceNow to import User Criteria, User Entitlements, or Roles defined in ServiceNow into the Moveworks platform, and follow the defined User Criteria restrictions accordingly.

📘

Note: In rare cases, if your ServiceNow user profile has elevated access outside of User Criteria, you may see discrepancies between the resources visible in your end-user portal and those accessible via the Moveworks bot. This is highly unlikely to impact the vast majority of your employees.

Architecture

Every 24 hours, Moveworks will import access control restrictions directly from ServiceNow.

Advanced User Criteria in ServiceNow

Moveworks will support your Advanced User Criteria. However, it is important to note that your advanced user criteria scripts, must follow the guidelines below.

ServiceNow has published that Advanced User Criteria aka scripted user criteria that utilize GlideSession API’s result in conflicts in certain scenarios, for example when used in diagnostic tools:

Source: Create a new user criteria documentation from ServiceNow

For scripted User Criteria records to behave properly, all usages of session API’s MUST to be converted to use the user_id variable instead. You will need to do the following:

  • Replace gs.getUserID() with user_id
  • Replace gs.getUser() with gs.getUser().getUserByID(user_id)
  • If you are using user_id inside a function defined within Advanced User Criteria Script, make sure that user_id passed from global context into the function as a parameter.

Incorrect Example:

// NOT CORRECT
function test() {
  return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test() # Notice how user ID is not passed in, this is not correct

Corrected Example

// CORRECT
function test(user_id) {
  return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test(user_id) # Notice how user_id is passed in as a parameter to the function test()

This is ServiceNow’s latest recommendation per the user criteria migration guide. If you do not do this, it will not be possible for the Moveworks Bot to enforce your complex user criteria because the UserCriteriaLoader , leveraged by Moveworks Platform Permissions, ONLY checks that the user satisfies the script if the user_id attribute (passed into the script by default) is used to make a decision for advanced User Criteria scripts.

This means that usage of any session APIs invalidate the accuracy of UserCriteriaLoader and may cause your employees to gain unauthorized access to your ServiceNow resources, or prevent them from viewing material they do have access to.

HR User Criteria in ServiceNow

By supporting advanced User Criteria above, HR User Criteria is also supported. We have noticed in some scenarios, user criteria objects are not returned due to scoping issues. If you notice this behavior, we have created a patch to the Update Set that can be installed to support HR User Criteria. Please reach out to your Moveworks Customer Success team for details on this.