ServiceNow Security Best Practices: Access Control and User Management

# ServiceNow Security Best Practices: Access Control and User Management

Security is a fundamental aspect of ServiceNow administration and a critical topic for CSA certification. This guide covers essential security concepts, access control mechanisms, and best practices for securing your ServiceNow instance.

Understanding ServiceNow Security Architecture

ServiceNow implements a multi-layered security model that controls access at various levels:

The Security Hierarchy

1. Application-level security: Controls access to entire applications

2. Table-level security: Restricts access to specific tables

3. Record-level security: Limits access to individual records

4. Field-level security: Controls visibility of specific fields

5. UI-level security: Manages UI elements and functionality

Access Control Lists (ACLs)

ACLs are the foundation of ServiceNow security, defining who can access what data and what operations they can perform.

ACL Types

Operation-based ACLs:

• **Create**: Control who can create new records
• **Read**: Define who can view records
• **Write**: Specify who can modify records
• **Delete**: Determine who can delete records
• **Execute**: Control who can execute scripts or operations

Table vs. Field ACLs:

• **Table ACLs**: Apply to entire tables
• **Field ACLs**: Control access to specific fields within tables
• **Field-level security**: Can be more restrictive than table-level

ACL Evaluation Process

ServiceNow evaluates ACLs in a specific order:

```

1. Field-level ACLs (most specific)

2. Table-level ACLs

3. Parent table ACLs (inherited)

4. Wildcard ACLs (least specific)

```

Important ACL Rules:

• ACLs are processed from most to least specific
• First matching ACL determines access
• Explicit deny (false) overrides allow (true)
• No matching ACL defaults to deny

Creating Effective ACLs

ACL Configuration Steps:

1. Navigate to System Security > Access Control (ACL)

2. Click "New" to create a new ACL

3. Select the type (Table or Field)

4. Choose the operation (read, write, create, delete)

5. Define the security rule using roles or conditions

6. Test thoroughly before deploying to production

ACL Best Practices:

• Use roles rather than explicit user references
• Document the business reason for each ACL
• Test ACLs with different user roles
• Avoid overly complex conditions
• Regular audit of ACL effectiveness

ServiceNow Roles and User Management

Role-Based Access Control (RBAC)

ServiceNow uses roles to group permissions and assign them to users efficiently.

Common ServiceNow Roles:

• **admin**: Full system administrator access
• **itil**: General ITIL user access
• **user_admin**: User administration capabilities
• **catalog_admin**: Service catalog management
• **report_admin**: Reporting administration
• **security_admin**: Security configuration access

Role Hierarchy

Roles can inherit from other roles, creating a hierarchy:

```

admin (inherits from all roles)

├── itil_admin

│ └── itil

├── user_admin

└── security_admin

```

Benefits of Role Hierarchy:

• Reduces redundancy in role assignment
• Simplifies permission management
• Ensures consistency across similar roles
• Easier to maintain and audit

Creating Custom Roles

When to Create Custom Roles:

• Standard roles don't match business requirements
• Need specific combinations of permissions
• Implementing least privilege principle
• Supporting unique organizational structure

Custom Role Best Practices:

• Use clear, descriptive role names (e.g., "procurement_approver")
• Document role purpose and permissions
• Inherit from existing roles when appropriate
• Regularly review and update role assignments
• Test roles in sub-production environments first

User Management Best Practices

User Provisioning

Automated User Provisioning:

• Integrate with Active Directory/LDAP
• Use SSO (Single Sign-On) for authentication
• Implement Just-In-Time (JIT) provisioning
• Automate role assignment based on attributes
• Sync user data regularly

Manual User Creation:

1. Navigate to User Administration > Users

2. Click "New" to create a user

3. Fill in required fields (Name, Email, User ID)

4. Assign appropriate roles

5. Set time zone and language preferences

6. Configure authentication method

User Lifecycle Management

Onboarding:

• Create user accounts promptly
• Assign appropriate roles based on job function
• Provide training and access to documentation
• Set up necessary group memberships
• Configure notifications and preferences

Role Changes:

• Update roles when users change positions
• Remove unnecessary permissions immediately
• Document role change requests
• Audit role assignments regularly

Offboarding:

• Deactivate users who leave the organization
• Don't delete user records (preserve audit history)
• Remove sensitive role assignments first
• Transfer record ownership if necessary
• Document the offboarding process

Groups and Team Management

ServiceNow Groups

Groups organize users for assignment, notification, and access control purposes.

Common Group Types:

• **Assignment groups**: For work distribution
• **Approval groups**: For approval workflows
• **Notification groups**: For alert distribution
• **Security groups**: For access control

Group Configuration:

• Clear naming conventions (e.g., "IT_Helpdesk_Team")
• Assign appropriate managers
• Define group email addresses
• Set default assignment rules
• Regular membership reviews

Group Membership

Static Membership:

• Manually add/remove users
• Full control over group composition
• Requires ongoing maintenance

Dynamic Membership:

• Rules-based automatic membership
• Updates automatically based on user attributes
• Reduces administrative overhead
• Requires careful rule configuration

Security Best Practices for CSA

1. Principle of Least Privilege

Grant users only the minimum access needed to perform their job functions.

Implementation:

• Start with minimal permissions
• Add permissions as needed and requested
• Regularly audit user permissions
• Remove unnecessary access promptly
• Document exception requests

2. Separation of Duties

Prevent conflicts of interest by separating critical functions.

Examples:

• Separate change creation from approval
• Different users for problem creation and resolution
• Split configuration from operational access
• Divide financial approval authorities

3. Regular Security Audits

What to Audit:

• User role assignments
• ACL effectiveness
• Admin account usage
• Elevated permission grants
• Security configuration changes
• Authentication logs

Audit Frequency:

• User access reviews: Quarterly
• Role assignments: Monthly
• ACL configuration: Semi-annually
• Security incidents: Immediately
• Compliance requirements: As mandated

4. Secure Development Practices

Configuration Security:

• Use update sets for change management
• Test security changes in sub-production
• Document security configurations
• Version control for custom applications
• Code review for security implications

Script Security:

• Avoid hardcoded credentials
• Use encrypted password fields
• Validate user inputs
• Implement proper error handling
• Follow secure coding guidelines

5. Authentication and Session Management

Authentication Best Practices:

• Implement multi-factor authentication (MFA)
• Use SSO integration when possible
• Enforce strong password policies
• Configure session timeout appropriately
• Monitor failed login attempts

Password Policies:

• Minimum length: 12+ characters
• Complexity requirements: Mixed case, numbers, symbols
• Password expiration: 60-90 days
• Prevent password reuse
• Account lockout after failed attempts

Elevated Privilege Management

Elevated Roles

Some operations require elevated privileges beyond normal roles.

Managing Elevated Access:

• **security_admin**: For security configuration
• **admin**: For system-wide changes
• **maint**: For maintenance mode operations

Best Practices:

• Limit the number of admin accounts
• Use secondary admin accounts (not day-to-day accounts)
• Enable MFA for admin accounts
• Log and monitor admin activities
• Temporary privilege elevation when needed

Impersonation

Impersonation allows administrators to view ServiceNow as another user.

Impersonation Use Cases:

• Troubleshooting user-specific issues
• Testing security configurations
• Verifying user permissions
• Demonstrating platform functionality

Impersonation Security:

• Requires elevated privileges (impersonator role)
• All actions logged with impersonator and impersonated user
• Should be time-limited
• Document business justification
• Regular audit of impersonation logs

Data Protection and Privacy

Personally Identifiable Information (PII)

Protecting PII in ServiceNow:

• Identify fields containing PII
• Implement field-level encryption
• Use ACLs to restrict PII access
• Data masking for non-production instances
• Comply with GDPR, CCPA, and other regulations

Data Classification:

• **Public**: No sensitivity restrictions
• **Internal**: For internal use only
• **Confidential**: Restricted to authorized personnel
• **Restricted**: Highest level of protection

Data Encryption

ServiceNow Encryption Features:

• **Edge encryption**: Protects sensitive fields at rest
• **Password encryption**: Automatic password field protection
• **TLS/SSL**: Encrypts data in transit
• **Database encryption**: Platform-level encryption

Encryption Best Practices:

• Encrypt all sensitive data fields
• Protect encryption keys appropriately
• Regular key rotation
• Test encryption/decryption processes
• Document encrypted fields

Security for CSA Exam Success

Key Security Concepts for CSA

1. ACL Structure: Understand table, field, and operation ACLs

2. Role Hierarchy: Know how roles inherit permissions

3. User Management: Master user creation and lifecycle

4. Group Types: Understand different group purposes

5. Security Best Practices: Apply least privilege principle

Common CSA Security Questions

• How ACLs are evaluated and prioritized
• Creating and managing roles effectively
• User provisioning and deactivation processes
• Group membership and assignment
• Impersonation and elevated privileges

Hands-On Security Practice

Practice Tasks:

1. Create custom ACLs for tables and fields

2. Design role hierarchy for an organization

3. Set up dynamic group membership rules

4. Configure user authentication settings

5. Test security with different user personas

6. Audit existing security configurations

Common Security Mistakes to Avoid

1. Overly Permissive ACLs

• Granting excessive read/write access
• Using wildcard ACLs too broadly
• Not testing ACLs thoroughly

2. Role Assignment Issues

• Assigning admin role unnecessarily
• Not removing old role assignments
• Conflicting role combinations

3. Poor User Management

• Not deactivating users promptly
• Deleting users instead of deactivating
• Inadequate user documentation

4. Weak Password Policies

• Short minimum password length
• No complexity requirements
• Infrequent password changes

5. Insufficient Auditing

• Not reviewing security logs
• Missing unusual access patterns
• No periodic access reviews

Security Monitoring and Incident Response

Security Monitoring

What to Monitor:

• Failed login attempts
• Privilege escalations
• ACL modifications
• Role assignment changes
• Impersonation activities
• Data export operations

Monitoring Tools:

• Security dashboard widgets
• Scheduled security reports
• Real-time alerts for critical events
• Log analysis and correlation
• Third-party SIEM integration

Incident Response

Security Incident Process:

1. Detection: Identify potential security issue

2. Analysis: Investigate scope and impact

3. Containment: Limit damage and prevent spread

4. Remediation: Fix vulnerability or remove threat

5. Recovery: Restore normal operations

6. Lessons Learned: Document and improve

Compliance and Governance

Regulatory Compliance

Common Frameworks:

• **SOC 2**: Security controls and processes
• **ISO 27001**: Information security management
• **HIPAA**: Healthcare data protection
• **PCI DSS**: Payment card data security
• **GDPR**: EU data privacy regulation

ServiceNow Compliance Features:

• Audit logging and reporting
• Data retention policies
• Access certification
• Segregation of duties
• Compliance dashboards

Security Governance

Governance Framework:

• Security policies and standards
• Change control procedures
• Access review processes
• Security training programs
• Incident response plans

Documentation Requirements:

• Security architecture diagrams
• ACL and role documentation
• User access procedures
• Security incident reports
• Compliance audit evidence

Conclusion

Security is not just about passing the CSA exam—it's about protecting your organization's data and systems. A strong understanding of ServiceNow security principles will make you a more effective administrator and a valuable asset to your organization.

Key Security Takeaways:

• Master ACLs and role-based access control
• Apply the principle of least privilege consistently
• Implement regular security audits and reviews
• Follow secure development and configuration practices
• Stay current with security best practices and updates
• Practice security concepts in your PDI environment

CSA Exam Preparation:

• Understand ACL evaluation order and precedence
• Know how to create and manage roles effectively
• Master user and group management processes
• Practice with security configuration scenarios
• Review security best practices documentation

By following these security best practices and mastering ServiceNow's security features, you'll be well-prepared for the CSA exam and ready to implement secure, compliant ServiceNow solutions in your organization.