Access Control - Platform Permissions (ServiceNow User Criteria)
Overview
If you already have access control rules inside ServiceNow, Moveworks can ingest those permissions to natively support your access control rules for Forms & Knowledge. With Platform Permissions, Moveworks integrates directly with ServiceNow to import User Criteria, User Entitlements, or Roles defined in ServiceNow into the Moveworks platform, and follow the defined User Criteria restrictions accordingly.
Architecture
Every 24 hours, Moveworks will import access control restrictions directly from ServiceNow.
Advanced User Criteria in ServiceNow
Moveworks will support your advanced, scripted User Criteria. This means, by extension, your HR Criteria will also be respected. However, there are some prerequisites.
ServiceNow has published that Advanced User Criteria (i.e., those that include Scripts) were causing conflicts due to methods used in the scripts. Specifically, any scripted user criteria that utilize GlideSession API’s result in conflicts when used in diagnostic tools:

Source: Create a new user criteria documentation from ServiceNow
For these scripted User Criteria records to behave properly, all usages of session API’s MUST to be converted to use the user_id variable instead. You will need to do the folllowing:
- Replace
gs.getUserID()
withuser_id
- Replace
gs.getUser()
withgs.getUser().getUserByID(user_id)
- If you are using
user_id
inside a function defined within Advanced User Criteria Script, make sure thatuser_id
passed from global context into the function as a parameter
Incorrect Example:
// NOT CORRECT
function test() {
return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test() # Notice how user ID is not passed in, this is not correct
Corrected Example
// CORRECT
function test(user_id) {
return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test(user_id) # Notice how user_id is passed in as a parameter to the function test()
This is ServiceNow’s latest recommendation per the user criteria migration guide. If you do not do this, it will not be possible for the Moveworks Bot to enforce your complex user criteria because the UserCriteriaLoader
, leveraged by Moveworks Platform Permissions, ONLY checks that the user satisfies the script if the user_id
attribute (passed into the script by default) is used to make a decision for advanced User Criteria scripts.
This means that usage of any session APIs invalidate the accuracy of UserCriteriaLoader
and may cause your employees to gain unauthorized access to your ServiceNow resources, or prevent them from viewing material they do have access to.
Updated 17 days ago