…thoughts on ServiceNow and digital transformation

Post

ServiceNow Group Membership Audit Log for HRSD

Elsewhere in the platform, permissions are assigned using roles and role auditing is available OOB. In HRSD, however, groups are used to give permission to the COEs and, quite surprisingly, there isn’t any auditing OOB for group membership. This lack of auditing will give most IT security folks a heart attack, so to avoid that, here is a solution for auditing group membership on HR groups.

Business Rule

This BR inserts a record into the sys_audit table. It has to be in the global scope unless you want to change the cross-scope access on sys_audit

(function executeRule(current, previous /*null when async*/ ) {

	
	//inserts a record into the sys_audit table when a group member is added or removed
	//While role auditing could be used for this, if the group doesn't have a role, membership changes will not get audited.  This ensures that membership changes are always audited.

    var recordAction = ' ';
    if (current.operation() == 'insert') {
        recordAction = ' added to ';
    } else if (current.operation() == 'delete') {
        recordAction = ' removed from ';
    }

    var auditGR = new GlideRecord('sys_audit');
    auditGR.initialize();
    auditGR.setValue('tablename', 'sys_user_grmember');
    auditGR.setValue('user', gs.getUserName());
    auditGR.setValue('fieldname', 'user');
    auditGR.setValue('documentkey', current.group.sys_id.getDisplayValue()); //use the sys_id of the group so that the records are searchable from the group (there is a related list for this)
    auditGR.setValue('newvalue', current.user.user_name.getDisplayValue() + recordAction + current.group.getDisplayValue());
    auditGR.insert();


})(current, previous);

Relationship

It’s nice to be able to see the audit log from the group record.

(function refineQuery(current, parent) {

	current.addQuery('tablename','sys_user_grmember');
	current.addQuery('documentkey',parent.getUniqueValue());

})(current, parent);

Then you can add this as a related list in the group form. It’s best to create a view for HR groups so that you’re not hitting the sys_audit table unnecessarily for groups outside of HR.

It’s also nice to add the COE Security Policies related list to the view for HR groups .