DocumentationDeveloperAcademyCommunitySupportLogin

Access Control - Platform Permissions (ServiceNow User Criteria)

Suggest Edits

Overview

If you already have access control rules inside ServiceNow, Moveworks can ingest those permissions to natively support your access control rules for Forms & Knowledge. With Platform Permissions, Moveworks integrates directly with ServiceNow to import User Criteria, User Entitlements, or Roles defined in ServiceNow into the Moveworks platform, and follow the defined User Criteria restrictions accordingly.

Architecture

Every 24 hours, Moveworks will import access control restrictions directly from ServiceNow.

Advanced User Criteria in ServiceNow

Moveworks will support your advanced, scripted User Criteria. This means, by extension, your HR Criteria will also be respected. However, there are some prerequisites.

ServiceNow has published that Advanced User Criteria (i.e., those that include Scripts) were causing conflicts due to methods used in the scripts. Specifically, any scripted user criteria that utilize GlideSession API’s result in conflicts when used in diagnostic tools:

Source: Create a new user criteria documentation from ServiceNow

For these scripted User Criteria records to behave properly, all usages of session API’s MUST to be converted to use the user_id variable instead. You will need to do the folllowing:

  • Replace gs.getUserID() with user_id
  • Replacegs.getUser() with gs.getUser().getUserByID(user_id)
  • If you are using user_id inside a function defined within Advanced User Criteria Script, make sure that user_id passed from global context into the function as a parameter

:x: Incorrect Example:

// NOT CORRECT
function test() {
  return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test() # Notice how user ID is not passed in, this is not correct

:white-check-mark: Corrected Example

// CORRECT
function test(user_id) {
  return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test(user_id) # Notice how user_id is passed in as a parameter to the function test()

This is ServiceNow’s latest recommendation per the user criteria migration guide. If you do not do this, it will not be possible for the Moveworks Bot to enforce your complex user criteria because the UserCriteriaLoader , leveraged by Moveworks Platform Permissions, ONLY checks that the user satisfies the script if the user_id attribute (passed into the script by default) is used to make a decision for advanced User Criteria scripts.

This means that usage of any session APIs invalidate the accuracy of UserCriteriaLoader and may cause your employees to gain unauthorized access to your ServiceNow resources, or prevent them from viewing material they do have access to.

Updated 17 days ago