Make report data visible to all users irrespective of user roles


Description

The ask is to make all records in a report visible to all users irrespective of their assigned roles. 

Ex: Create a report with name 'read_all' 

User A(Admin role) should be able to see all records in the report 'read_all' (Say, User A is seeing 50 records)

User B(ITIL role) should be able to see all records in the report 'read_all' (User B should also able to see 50 records)

Instructions

Please follow the below steps to witness this behaviour. Below steps are replicated for the table 'incident'

  1. Hop into your OOTB instance with default [maint,admin,itil] role.
  2. Navigate to View / Run and create a report 'read_all' on table 'incident' 
  3. Save the report and Run the report. Note the number of records displayed when you run the report.
  4. Go to Share Settings and share the report to 'Everyone'. No need to provide any role for 'Everyone'. Leave the role field as blank.
  5. Save the report.
  6. Navigate to ACL
  7. Create a new ACL by clicking on New 
    1. Type -> Record
    2. Operation -> Read
    3. Name -> Incident (table)
    4. Leave remaining fields as default
    5. Do not add any role (Under Requires Role) for this ACL
    6. Submit the ACL
  8. Now impersonate to any other non-admin role user (itil role user)
  9. Navigate to sys_report.list and search for the report 'read_all' 
  10. Impersonated user should be able to all the records. The record count of admin user should be same as impersonated user.

Additional Information

1. Sharing by user, group, or role, is the primary method of sharing reports. You can use access control lists (ACLs) to control access to the underlying table or database view data. Users are able to view reports when the user does not have access rights to a data record in a data source or source table of a report. However, they are not able to see that record in a list view or in a drill-down view. Database-view-list reports require the reporting user to satisfy ACLs on the target data to view records in the list. Users without sufficient permissions see filtered list reports.

https://docs.servicenow.com/csh?topicname=c_DistributeReports.html&version=latest

2. ACLs for a table do not propagate to database views based on that table. Database views require separate ACLs.

3. Creating an ACL with no roles may impact security and integrity of the records

4. It is always a best practise to implement this solution first in SUB-PROD and notice the behaviour for at least few days with multiple users