Back to Blog
No items found.

Authentication and Authorization

When we visit any application or website, including ServiceNow, three things are important in the context of security.
min read
Pallavi Gupta
December 7, 2023

When we visit any application or website, including ServiceNow, three things are important in the context of security.

  • Identity
  • Authentication
  • Authorization

These seemingly benign statements can cause an enterprise half of its headaches. Let's quickly go over each of these definitions and the steps ServiceNow takes to guarantee them.

Identity - They are a unique set of attributes that identify each user. This can include things like the user's name, email address, or anything that helps identify who you are.

Authentication - It is the process of verifying the claimed identity of the user. It may include methods like username and password authentication, biometrics (fingerprint, facial recognition), smart cards, tokens, and multi-factor authentication (MFA).

Authorization - Authorization is the process of determining what actions or operations an authenticated user, device, or entity is allowed to perform within a computer system or network. Authorization ensures that even authenticated users only have access to the resources and actions that are appropriate for their role and level of privilege.

It would be a disaster if an end user were able to delete user records from ServiceNow or if everyone had the ability to raise an off-boarding request. That is why this topic is crucial. We don't want strangers to come into our house and we don’t want guests to go into our bedroom and look through our closets. 

Some of the methods ServiceNow employees for authentication are as follows:

  • Username and Password - This is the most basic form of authentication. Users provide a username and a secure password to verify their identity. 
  • Multi-Factor Authentication (MFA) - Since usernames and passwords have been around long, they are sometimes insufficient. To add an extra layer of security, the ServiceNow uses multi-factor authentication.
  • LDAP/Active Directory: Organizations can integrate ServiceNow with LDAP or Active Directory systems, allowing users to log in using their existing corporate credentials.
  • SSO (Single Sign-On): ServiceNow also supports SOO, enabling users to use a single set of credentials across multiple applications.

Once we have authenticated the user, and we know they are who they say they are, the next step is to determine what they have access to. It is crucial that we permit access to resources only based on their role and responsibilities within the organization. 

Following are some of the components used by ServiceNow for authorization. 

  • Roles - Roles are what dictate what a user can do within the platform. For example, an IT support technician may have a "Support" role, granting access to incident management but not system administration features.   

  • ACLs (Access Control Lists) - This is one level below the roles. Even if a user is granted permission to a table based on their role, we can fine-tune controls to specify what they can read, write, and delete. ACLs make it feasible. They let us define records or data that users can access and what operations they can perform on it. 

  • Groups - Groups are a way of organizing users, like assigning a common group to people with a shared purpose. We can assign roles to these groups and all their members inherit those permissions. For instance, we could create a group called 'Support' and permit them to access incident management modules.

The logic of this all makes sense - permit only genuine users to enter the system and allow them to access only what they need. Authentication and Authorization are super important to maintain the integrity of data and processes. By properly implementing authentication and authorization, the IT Service Management processes can run smoothly, improve security, and save a lot of money and headaches. 

Some of the below points explain why authentication and authorization are important 

  • Data Security - Nothing is more important than data and nothing is worse than data in the hands of a malicious user. Properly implemented authentication prevents the risk of data breaches. 
  • Compliance - To comply with strict compliance requirements, such as HIPPA and GDPR, organizations must have proper authentication and authorization. 
  • Workflow efficiency - To achieve optimal organizational efficiency and streamline processes and workflows, it is crucial to assign appropriate roles and permissions. 
  • Auditability - Auditability would help with audits and investigations by allowing us to have logs that track who accessed what and when.

It's easy to become lost when there's so much information about what to implement and how. But some best practices can help us focus on what's important and keep our eyes on the prize. 

Some of the best practices in ServiceNow can include the following- 

  • Implement strong authentication policies.
  • Enforce strong password policies, asking users to change their passwords every few months, and including MFA to protect against unauthorized access. 
  • Review roles and permissions regularly. If the system is allowed to sit for a while, it can become stale. Review and update roles and groups regularly to align with organizational changes and security requirements.
  • Apply the principle of least privilege. This means that users should have the minimum access necessary to perform their tasks.
  • Identifying vulnerabilities on an ongoing basis is crucial for testing and monitoring. Continuously test user activities and regularly perform security testing. 
  • Keep the platform updated. Ensure the ServiceNow platform runs the latest updates and patches to address security vulnerabilities.

Authentication and authorization are the foundation of data security and user access control in ServiceNow. Understanding these concepts is essential for ServiceNow administrators and developers to configure the platform to meet the specific needs and security requirements of the organizations. By implementing strong authentication and fine-tuning authorization, organizations can harness the full potential of the platform while safeguarding their data and operations. So, a solid knowledge of these topics is fundamental.

Written by
Pallavi Gupta
Boston, MA
Loves music so much she can work for lengthy periods while listening to anything. 1 part engineer, 1 part wanderer, 2 parts geek and 3 parts artist.
you might also like
back to blog