DataSilosVAM 1.1.2

Welcome to DataSilosVAM. This scoped app contains specific extentions to the DataSilos scoped app for the Vaccine Administration Management product.

Features

  • Access to records in the following tables is restricted based on a user's association to a group and hence their association with one or more vaccination centers:
    1. sn_vaccine_sm_request
    2. sn_vaccine_sm_task
    3. sn_apptmnt_booking_appointment_booking
    4. csm_consumer_user
    5. sn_vaccine_sm_personal_info
  • Groups can be associated to a vaccination center.
  • Depeding on the table, a different mechanism is used to determine the related vaccination center for a record. If more than one vaccination center can be determined groups of multiple vaccination centers are be added to the whitelist.

Disclaimer

DataSilosVAM is NOT an officially supported ServiceNow product.

DataSilosVAM does NOT come with any kind of warranty. If you use it, you own it!

System Requirements

Installation

To install the app follow these steps:

  1. To install DevTools create an account on GitHub (if not done already).
  2. Paris or later: Add credentials to access GitHub (Use "Basic Auth").
  3. Fork the repository https://github.com/saschawildgrube/servicenow-devtools.
  4. Go to Studio and import the DevTools application from source control.
  5. Fork the repository https://github.com/saschawildgrube/servicenow-datasilos.
  6. Go to Studio and import the DataSilos application from source control.
  7. Fork the repository https://github.com/saschawildgrube/servicenow-datasilos-vam.
  8. Go to Studio and import the DataSilosVAM application from source control.
  9. Setup ACLs according to the installation instructions in DataSilos/Start for the tables in scope. Note that you will need to use separate update sets to capture all changes as the table's ACLs reside in different scopes!
  10. Add this code to "x_snc_datasilos.GetConfig":
    config = x_snc_devtools.Merge(config,x_snc_datasilosvam.GetConfigBaseline());
  11. Add this code to "x_snc_datasilos.GetRelatedRecords":
    aRelatedRecords = aRelatedRecords.concat(x_snc_datasilosvam.GetRelatedRecords(record));
  12. Add this code to "x_snc_datasilos.IsTableActive":
    if (strTable == 'sn_apptmnt_booking_appointment_booking')
    {
    	if (x_snc_devtools.IsUserHasRoleExactly('sn_vaccine_sm.user') == true)
    	{
    		if (x_snc_devtools.IsUserHasRoleExactly('sn_vaccine_sm.manager') == false)
    		{
    			return false;
    		}
    	}
    }
  13. Two out-of-the-box business rules are defective:
    1. Vaccine booking is canceled
    2. Appointment Booking is Cancelled
    In both business rules, change the condition to "Activity state CHANGES TO Cancelled"!
  14. Add the "Vaccination Center" field to the "Group" form to enable users to configure a vaccination center for a group.
  15. Run the DataSilosVAM Test Suite
  16. Assign the x_snc_datasilos.manager role to users who are in charge of operations.
  17. Assign the x_snc_datasilos.sentinel role to all users who should NOT be impacted by data segregation. Note that the manager role does NOT contain the sentinel role.
  18. Create groups for each vaccination center and associate these groups with vaccination centers.

Runbook

Incident models

Individual users complain about not being able to see specific records (like citizens, vaccination requests, tasks or appointments)

Symptoms
  • A user reports that they do not have access to a specific record.
  • After creating a new citizen, errors are being displayed or the just created citizen or request cannot be found.
Procedure:
  1. Identify the specific user record.
  2. Check if the user has the x_snc_datasilos.sentinel role. If so, the user should not be affected by DataSilosVAM filtering. The root cause is very likely somewhere else.
  3. Seek the record in the list view of the containing table using the DataSilos view.
  4. Identify the groups of that user.
  5. Identify the vaccine centers to which the user's groups are associated.
  6. Check the silo and group whitelist to see if the user's groups and associated silos match. Keep in mind that a user's group must be a "supervisor" group in a silo so that a user get's access via the silo whitelist.
  7. If the whitelisted silos or groups do not match expectations, the logic that populate the whitelists should be reviewed. Note that if a DataSilos extension sets the ghost field to true for a record, the default DataSilos whitelist population will not be applied.
  8. Check if the records are associated to the same vaccination center as the user (via their group).
  9. If at least one of the filtering factors (user reference fields, group whitelist, supervisor whitelist, global visibility) in combination with the security clearance level should allow the user to see the record, but the user cannot access the record, then it is very likely that other (non-DataSilos) related business rules or ACLs block the access to that record.

License

Copyright 2021 by Sascha Wildgrube

Licensed under the Apache License, Version 2.0 (the "License")

You may not use DevTools except in compliance with the License.

You may obtain a copy of the License at: https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Release Notes

1.1.2 - 2021-04-14

  1. DevTools 1.13.0 is now required.
  2. DataSilos 2.6.0 is now required.
  3. Added runbook section to documentation including a specific incident model.

1.1.1 - 2021-04-01

  1. When clinicians (with restricted visibility) created new users and appointments, not all related records were whitelisted. This has been corrected.

1.1.0 - 2021-03-31

  1. Added logic to whitelist new csm_consumer_user and sn_vaccine_sm_personal_info records when they are created by a user that is subject to data segregation. This is to avoid the effect that a user without global visibility cannot create new records because they are not yet associated to a vaccination center.
  2. Set execution order of business rule "DataSilos - sn_apptmnt_booking_appointme" to 10000.
  3. Added module for sys_user_group and display the vaccinaion centers in the list.
  4. Moved table modules into the "VAM" module.
  5. Added license information.

1.0.0 - 2021-03-27

First baselined version