Access Control - Platform Permissions (ServiceNow User Criteria)
Overview
If you already have access control rules inside ServiceNow, Moveworks can ingest those permissions to natively support your access control rules for Forms & Knowledge. With Platform Permissions, Moveworks integrates directly with ServiceNow to import User Criteria, User Entitlements, or Roles defined in ServiceNow into the Moveworks platform, and follow the defined User Criteria restrictions accordingly.
Note: In rare cases, if your ServiceNow user profile has elevated access outside of User Criteria, you may see discrepancies between the resources visible in your end-user portal and those accessible via the Moveworks bot. This is highly unlikely to impact the vast majority of your employees.
Architecture
Every 24 hours, Moveworks will import access control restrictions directly from ServiceNow.
Advanced User Criteria in ServiceNow
Moveworks will support your Advanced User Criteria. However, it is important to note that your advanced user criteria scripts, must follow the guidelines below.
ServiceNow has published that Advanced User Criteria aka scripted user criteria that utilize GlideSession API’s result in conflicts in certain scenarios, for example when used in diagnostic tools:
Source: Create a new user criteria documentation from ServiceNow
For scripted User Criteria records to behave properly, all usages of session API’s MUST to be converted to use the user_id variable instead. You will need to do the following:
- Replace
gs.getUserID()
withuser_id
- Replace
gs.getUser()
withgs.getUser().getUserByID(user_id)
- If you are using
user_id
inside a function defined within Advanced User Criteria Script, make sure thatuser_id
passed from global context into the function as a parameter.
❌ Incorrect Example:
// NOT CORRECT
function test() {
return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test() # Notice how user ID is not passed in, this is not correct
✅ Corrected Example
// CORRECT
function test(user_id) {
return (user_id == "f6feeaf44751411078d38a5f746d430a")
}
test(user_id) # Notice how user_id is passed in as a parameter to the function test()
This is ServiceNow’s latest recommendation per the user criteria migration guide. If you do not do this, it will not be possible for the Moveworks Bot to enforce your complex user criteria because the UserCriteriaLoader
, leveraged by Moveworks Platform Permissions, ONLY checks that the user satisfies the script if the user_id
attribute (passed into the script by default) is used to make a decision for advanced User Criteria scripts.
This means that usage of any session APIs invalidate the accuracy of UserCriteriaLoader
and may cause your employees to gain unauthorized access to your ServiceNow resources, or prevent them from viewing material they do have access to.
HR User Criteria in ServiceNow
By supporting advanced User Criteria above, HR User Criteria is also supported. We have noticed in some scenarios, user criteria objects are not returned due to scoping issues. If you notice this behavior, we have created a patch to the Update Set that can be installed to support HR User Criteria. Please reach out to your Moveworks Customer Success team for details on this.
Updated 30 days ago