thank you all again once again thank you all for joining this session uh today we're the topic that we are going to cover is really around the granular access control or we call it ACL introduction to deny on L and query based ACLS uh this is one of the topic that is requested by uh our internal sales team and our customer as well as partners uh we didn't have a chance to cover one session uh through this platform privacy and the Security Academy session but finally this year we had some topic that we are going to give you guys a little bit overview details around what the ACL is and what we are trying to build and what we had so far as well I have very two special guests that I uh invited for this session to go over uh Derek and prig before I let them to introduce them themselves just quickly I want to introduce myself as well my name is fim I one of the opon product manager in platform security team I have been with service now for over 5 years I covered uh conversational interface virtual agent live agent and NL in the past and and two and a half years ago I transition to platform security team to build some uh security related products as well so IID like to pass it over to Derek to introduce himself and I'll pass it over to prti as well yeah Derek Borland I'm an outbound product manager on the platform security team I joined service now about o 7 months ago uh but have been in the security field in many different roles between product management vendor management um for going on 12 years now now that I just aged myself I will hand it over to pratique hello uh my name is prti B I'm the product manager for Access Control in service now my background is engineering I joined service now in 2018 so it's almost more than six years uh I came from engineering background uh switched to product management and love complex problem for all of you thank you PR thank you all for uh joining the session again and uh thank you Derek and PR for spending time to cover around the ACL especially what we're are doing so far and what our road map is going to look like in the future as well so if you haven't subscribed to our YouTube Channel please feel free to scan the QR code here or you can literally just type uh service net Community or you can type uh the platform privacy and security on our YouTube search box and You' be uh directed to our um the the channel where you can uh have amazing sessions not only around the security products that we cover but also all the the product areas that service now covers too so feel free to hit that subscribe button and ring the notification Bell if there's any new session edit or the the coming in the future you'd be notified with uh the key uh the sessions that we are going to cover as well but so far we have covered 14 sessions are all different security products that includes the Vault uh which is the premium products and bundled products around seven different uh the premium uh products that includes encryption data privacy uh zero trust access and some other uh the premium products as well and we covered uh the security Center uh the access analyzer and obviously this is one of the the ACLS that we are covering in that session as well so as a company we're publicly uh serving now is publicly traded uh company so we always start with the safe Harare uh the forward-looking statement we might talk about some of the things which might be in the road map or for our upcoming releases so if you're planning to purchase any of our products please talk to your sales team or account team to make sure that the product exists today is in the store uh so which is available for you to purchase uh before you making your uh make before you make any final purchasing decision as well with that I would like to let prti to kick up the sessions around ACLS yes thank you fat so as a part of today's agenda will'll be going over what exist today in the platform when it comes to access controls uh what's new in zanadu and then we will go the demo and then finally into Q&A uh we are happy to answer all the questions you guys have over here so with that uh let's see what we have within the platform today so all are familiar with the concept of ACL Access Control list it is a way to protect your resource it it allows you to Define who can access uh who can access the resource in what conditions and with complex scenarios you can even write a script so right now the current ACL model is allow ACL model that means you define the allow access to the data if these conditions are met now what are the conditions that you can control uh you can control the who that means you can Define the roles where you the user should have roles to in order to access the data or user should be part of the groups because groups also do the role assignment so user having one of the roles in the groups can access the data then the next is a security attribute this was a new feature released in Vancouver relas so it's a way to define uh non user uh non data context that means uh you can Define the user criteria or environment criteria to create a reusable component that you that you can use in multiple ACS what will be the example so let's say you have an example where user should be based in the location and should be coming from specific IP range right you can uh Define those things in a security attribute and then you can reuse that attribute across all ACL so any ACS that need to protect a data where a user is in the US uh us region and uh is coming from the specific IP range you can Define that as security attribute another classic example is also like if you want to protect all your data against authenticated access you def you create a security attribute is UN authenticated to false and then reuse it everywhere fourth is a data third is a data conditions uh data condition is a way to define like which on which uh which specific data you want to protect that means if you want to protect priority equal to one incident or priority equal to two incident or assent equal to to uh specific team right or assign assignment equal to HR for example if you want to protect HR data so data conditions help you define more uh context on the data that is that you want to protect uh fourth is a script which is more Advance uh we all been using a scripted ACL way to define the complex logic which will eventually return answer equal true or false which determines whether the access will be granted to this data or not um and we all we have also seen a query business rules being used as a as Access Control mechanism but it's not an access control feature it's a way to define your business logic but it's also working in in some of the way where uh you you create a business business rules to filter out data based on certain criteria for example u a a user belonging to Europe region should only access a Europe data right so you can create that as a business Rule and you can run it before uh query and upend that query queries into existing query so that it will filter out the data now what's what's new in zenu uh it's a denyl it's an explicit way of denying an access to the data up till now we all learned that up till now we have been creating allow VL that means allow access to the data if conditions are met this is exclusive way of denying meaning deny access to to the data unless conditions are met uh Den ACS are very powerful as it takes as it takes priority over allow AC that means if there is any deny ACL that denies the access to the data uh there is no allow ACL that can grant an access to that to the same data uh and if you have multiple Den ACLS on on the resource uh Den ACS are all ended together that means all the DS need to be uh passed uh in order to Grant have access to the data we recommend you guys to think about combin of allow ACLS and deny ACL that means you create a right access control strategy because these controls are complimentary to each other it's not a replacement so always think about creating a complimentary access control strategy using all these controls which which gives the right access to the right to now next is the query ACL this is also released as a part of zenu so we have released a two new operations uh in the ACL form which is query range and query match um up now you have been in defining who are allowed to read the data or who are allowed to write or update or delete the data right but this is one step going forward and saying explicit way of defining who can query the data user may have access to read the data but do we want to grant them an access to query the data for examp let's take an example where you have employee table right uh all admins are allowed to read employee data uh but only SSN number or address or personal email address is visible to HR admin so you create a field level ACL on on the on the table which hides which don't allows access to SSN for number on email address to admin but uh admin can quer data they can they can uh they can do a search operation they can build report on top of it so now with query ACL you can define whether you want to restrict even query for a user uh who are not HR admin so you create a query ACL which will restrict for phone number they will it will restrict greater than equal to less than equal to exact match equal to all the operations with with two new available query range and query match so again combination of all the ACs will give you right access control strategy on the platform and uh will protect the protect the data against uh unauthorized access so let's see how how this funel how this complimentary strategy look looks on the paper right so think about creating a a funnel which at each you are explicitly defining that what data you want to allow right so we recommend that you start with a deny and a non- contextual now what is contextual and non-contextual non-contextual ACL ACLS are the ACs which uh which do not need uh to understand the data that means it just purely resides based on the roles or security attributes but contextual ACS are AC which needs to rely on the data that means they need to understand they need to get the record first and determine whether they allowed uh whether that record is allowed uh to be accessed by user or not those are contextual ACM so we recommend you you all start with a des L non-contextual that means you can explicit say that don't give an access to user unless user has this roles which are non contextual and then move to contextual if you have a need which says deny access to the data unless these conditions are met and conditions can be where priority equal to one incident for example since deny access to Priority equal to one inent unless user is an IT admin so those are will the contextual ACL and now you have to explicit again Define the allow eacl which is explicit way of saying that who are allowed to access the data because deny does not say who are allowed to access the data it just says that deny access to this data unless these conditions are met but with allow faal you will explicitly Define that who are allowed to access access the data if conditions are met so always think about creating a creating a funnel at each layer you are you are defining the access uh and each layer grants a specific uh uh part of the data uh this is a guiding principle that we all Rec uh we recommend uh uh to all of you saying that now let's move to the more exciting part uh uh of of the webinar uh and it is demo so I will pass it to d uh to show the demo great thanks for saying it's going to be exciting because that puts a lot of pressure on me critique so let me go ahead and share my screen all right so what we're going to do is kind of walk through a couple highlevel use cases but but pretty common use cases for um both the deny unless and the query ACL so the first one we're going to go through is really limiting access or even denying access unless the user is part of a specific group so we'll go ahead and kick it off let's go ahead and just start with a new new ACL here uh what we're going to do is is really um limit but really remove access so we're going to use the read operation here we're going to use the deny unless um let's go we're going to do it for the CIS user table and then let's go ahead and enter the admin roll so the condition we want to use is really um they have to belong to the group that is the it admin group that means anybody else who is not included in that group won't have access to even read the table so let's go ahead and submit it and let's go ahead and see how that worked so we're going to impersonate a user uh the one person that we don't want access to really anything we're going to choose Michael Scott here if you all watch the office you know what I mean so let's go ahead and see what effect that has on the user table for Michael so as you can see it removes all access for you can't see anything it does give him a security constraints prevents access to this page so we can kind of see that that worked out so the next use case let's go ahead and walk through is really the the query ACL so what we're going to do is we're going to set up a new um ACL that really limits what you can query um by uh C certain um attributes that you have as a user so we're going to go create a new one here this time instead of doing read on the operation we're going to actually do the query range and then we're going to do a deny unless again we're going to do the same page this time but this time we're not going to do the whole page we're really going to focus on some specific colum column email so same as before we're going to kind of choose what uh security attribute we want to use so we want to make sure the group is it admin but now we're going to add one more um attribute which is going to be a role and we're going to really limit it to the Privacy admin role that way we can now control privacy admin really is the only one that can see emails so let's go ahead and submit that all right let's go ahead and impersonate another user this time we're going to use uh Nick glasses he is part of the it admin group but he does not have that privacy admin role so let's kind of see how that affects so we'll go to the user table this time we're going to do a quick filter we'll choose a field email let's let's do starts with s let's go ahead and run this and see how that ACL kind of fixs affects Nick there as you can see uh this is part of that query um ACL that we set up so it gives insufficient access uh for that query range but let's go ahead and check out a user that has both uh the Privacy admin and is part of the it admin group we're going to go to good old Toby [Music] flenderson and we're going to do the same same kind of clicks as Nick did to kind of see how it works let's go ahead and filter it again this time we'll choose the same field which will be Emo why is it not working there we go we'll do the same and let's go ahead and run it and as you can see Toby because meets those two security attributes of privacy admin and the um and being part of the it admin group he can do the query of email addresses and see the ones that begin with S so that is it for the demo as you can see there's a many different use cases and and many different ways you can use both of these the new functions for acl's and they are very powerful and very quite easy to use so I'll go ahead and end it back over to fott oh wow thank you thank you this is this is amazing so you know I'm a huge fan of live demo uh Derek I really appreciate it for showing all the what prti sumarized earlier on this demo as well it's really it's really cool to see that so this is one of the session that we had covered sowh so far for this year but in the in the past we had covered some the data privacy new features and zero trust access especially around access analyzer as well so if you really want to watch all those recordings feel free to type the the exact name that you see here on our YouTube channel or just uh you know just uh type platform on the security privacy and security and you would be directed to those uh the contents as well so we are talking about the access control today uh the the ACLS and then the next month we're going to be covering two different sessions one is for the security Center which is going to be cool and that's one of the high demand topic not only uh from our sales team but also from our customer as well of what's coming on the security Center for our upcoming releases um that we will go over uh with the product management team as well and we will be having another session called uh data management uh with our product success team uh as part of SE September so I'll uh send out the registration links with the posters and with the exact date uh once those sessions are uh the time is uh ready as well if you're planning to uh take a look at some of our product docu documentations and blog post uh some of our social media platform and what's we what we're publishing um whether if it's article or demo or some other content feel free to scan the QR code here that you're uh on the screen and You' be directed to the different the content so that you will see all different step bystep uh the process and documentations and some other messaging uh the product success guide uh as well so I am going to wait two more minutes uh before we wrap up the session if the the team or customer has some other questions feel free to ask your questions we're happy to answer here as well I think we have a few questions in the yeah we have Q&A so yeah yeah we have one I think we have four questions here uh Derek do you want to answer or do you want me to read it out loud first and then before you answer yeah so I'll go ahead and read them out loud so um the first one I'll I'll kind of address is so the query ACL demo prevents being able to query but they can still see emails in that list view that that's correct if you're just doing that security attribute you can add more of the data controls on it as well if you don't want that to be visible whenever they're seeing it so um that's that's kind of how we would handle that but from just a simple demo that I did yes they'll be able to see it but they won't be able to query it on that point yeah uh I would like I would just add one line over over there for that one uh to to in order to protect the emails being visible uh to the user uh you can create a field level ACL that will protect and protect the entire column uh we were just demoing how someone can be prot someone can protect the query part but yeah feel free to create a field level ACL and that will protect the column too all right next questions are these Baseline features or is an upgraded skew required like with Vault um this is just from my understanding PR this is just included with the current um a configurations and and capabilities yes uh no no additional uh cost uh it's out of box available it's free um it's part of the platform so no additional cost all right there's uh there's two more from Aron with all these new enhancement to the ACL setup can be avoid the message number of rows removed from this list by security constraints without a before query business rule so uh for that one we are coming up we are working on with uh we are working on a new concept and uh uh we'll we will we can share more details in a future Academy session but that will help you with uh number of rol removed and security constraint message uh it's similar to before query business rules uh but it's a it's a low code tool that where which you can which you can Define uh simply by by by using a condition Builder so we are working on the New Concept and we will share more details in upcoming upcoming Academy sessions all right and the last question is does export uh does export and count as a query um I don't know I have to check uh export is a specific event uh but I we can get there too oh Greg all right so we'll get back to you thank you PR Derek for the answer I will follow up with the the grag on this answer as uh for for this question as well uh after Pro and I uh we missed one of the question uh I think is there anything specific to observe here Behavior change why is in Zen are these new permissions be layered in over time and it isn't upgrade concern so these are uh there is no upgrade concern because these are new features it's up to you uh how you want to create it you can uh you can plan uh your road map and use this uh use this features to build U more stringent access control as per your need there will be some some ACLS which will be shipped out of box by service now using this two New Concept deny ACS and query ACS um but so it won't it won't affect any anything during upgrade thanks for I am going to wait two more minutes for other folks to to ask some questions before we wrap up this session Derek PR if you guys have any anything to add or if you guys want a summary uh or summarize a session just feel free to do so um I think last two SS uh from my side is like we are excited to release this uh all this new features and we are EXC we are like looking forward to see how how these features are adopted uh how these new features helps you solve your current use cases which and improve your life uh in terms of protecting the data we know it's tough when it comes to security so we are excited and we are looking forward to learn from all of you and there's seems like there's one last question uh Grant wants to confirm all the same features of ACLS are available for deny analy ACLS uh such as Des scripted or conditional based logic as well yes all the acl's features are available uh D ACL is just a new dcn type uh so on on the form you will you will see uh a new field called decision decision type and it will have two value allow if and deny less you will you will be able to use all the existing conditions that is that is part of ACL form all right so I don't see any other questions coming with that this summarizes our uh today's session around ACLS especially career based uh ACL which is coming as part of zanitor release and we will definitely touch base around other uh some other store releases or Yokohama releases if we have any other up uh features that's going to be available for you guys to uh for the demo or for some overview around ACL as well with that thank you all for joining till next time stay tuned and thank you prig and Derek for uh leading the session as well have a wonderful rest of your day bye-bye