3 tips to enhance reporting security
June 7, 2024
As a ServiceNow admin, you want to encourage users to use the platform features like Reporting. Reporting can bring good insights to users on their data in a real time. Nevertheless, you want to be sure that basic security rules are applied and that reporting does not increase risk exposure to threats like data leak, or unauthorized data access.
ServiceNow has special report related Access Control types like “report_view” and “report_on” ACLs. I do not want to talk about these in this blog. Instead, I want to give you 3 real simple tips for system properties that you should check within your instances, as they might not yet be set to the secured value.
Let’s take a look.
Disallow unauthenticated published reports
Publishing a report might sound fine. But in fact, it is a bit confusing. Publishing a report actually means that you make it accessible to anybody who gets (or finds out somehow) the URL. Such user does not need to be even logged in.
Therefore, ServiceNow came with security recommendation to disable publishing of reports unless there is really a business case for it. And if there is, I would recommend to closely monitor what reports are published and who can do it. Maybe, there should even be an approval before.
Simple rule: Sharing - Yes! Publish - No! :-)
This property is by default already set to proper (secure) value for new instances. But my experience is that older instances might still need to set it. Are you working on an older instance? If yes, do the following action.
Action: Set the system property “glide.report.published_reports.enabled” to false. Review and unpublish all currently published reports and contact their owners.
More details can be found here.
Enforce security rules to sharing dashboards
You know, for sure, that ServiceNow users can share their dashboards with other users, groups, or roles. But did you know that ServiceNow is NOT evaluating ACLs (Access Control Lists) when showing you list of users, groups and roles? I didn’t until I accidentally read this in ServiceNow documentation.
In case, you have some ACLs setup that make some users, groups or roles hidden to a user, I assume you do not want the user to suddenly see them when sharing a dashboard. To achieve that, do this action.
Action: Set system property “glide.cms.dashboards.sharing_with_secure_search” to true.
This obviously adds some additional work to the platform, and it might slow down loading of the list. But I guess that is what we pay everywhere in the platform for security.
Enforce column view access control for list reports
Have you ever configured “add_to_list” ACLs (= Access Control List)? If no, those ACLs prevent users from being able to add a field to the list layout by using personalize feature. In some cases, you can decide to disallow that for some reasons like:
a) The field is not really usable in list view or it would cause performance issues (maybe journal fields).
b) The field is quite technical, and we do not want to offer it to users in list (e.g., integration related fields).
If you made the effort to configure this for normal lists, then it might make sense to have the same behavior for list reports. Maybe you are surprised as I was that this is not by default the behavior. To have “add_to_list” ACLs being applied to list reports, you have to do following action.
Action: Set the system property “glide.report.add_to_list_supported” to true.
Be aware this does not impact existing reports. For more details, check out documentation here.