Category: Partners

What It Means To Be CREST (Intl) Accredited

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider.  These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information.  The individuals employed by these companies may have no demonstrable skill, knowledge or competence in the provision of security testing.

CREST is an International not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST requires a rigorous assessment of business processes, data security and security testing framework to demonstrate a level of assurance that the information security methodologies used can competently and securely provide customers with a robust assessment of their cyber security posture.

As a result, CREST only provides accreditation to highly trusted professional services organisations, and their employees who provide the often sensitive and high-risk penetration testing, cyber incident response, threat intelligence and security operations centre services.

All CREST accredited member companies are required to submit policies, processes and procedures relating to their service provision to provide added assurance for the buying community.  These policies, processes and procedures include:

  • References for certified individuals
  • Assignment preparation and scope processes
  • Assignment execution processes
  • Technical methodology
  • Reporting templates
  • Data storage and Information Sharing policies
  • Post technical delivery methodologies
  • Asset/Information/Document storage, retention and destruction processes

The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff.  CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they employ.

JDS is a proud CREST (Intl) accredited member company who can confidently provide our customers the added reassurance that our services meet the highest professional and security standards.

Five Reasons Why Your Organisation Should Be Penetration Testing

Modern businesses require an advanced approach to security and due diligence.  Having anti-virus software and a firewall is no longer an efficient strategy to prevent highly sophisticated security attacks which can result in irreversible damage to your organisation.

A professional penetration testing service is the best way to identify the strengths, weaknesses and holes in your defences.  Read on to uncover the five best reasons why your organisation needs penetration testing.

1. Protect Your Organisation From Cyber Attacks

Reports of cyber crime within Australia have increased nearly 15% each year since 2019, with the average reported financial loss per successful cybercrime incident being $50,673. Regardless of your organisational size or sector, cyber criminals view every business as a potentially exploitable prospect. The internet is continuously being scanned in search of vulnerable systems.  Carrying out penetration tests will enable you to identify vulnerabilities that are most likely to be exploited, determine what the potential impact could be, and enable you to implement measures to mitigate or eliminate the threat.     

2. Identify and Prioritise Vulnerabilities

Put simply, a pen test will uncover all of the potential threats and vulnerabilities that could damage your organisation’s IT assets.  The resulting report prioritises these vulnerabilities from low to critical, and further categorises them by likelihood and impact.  This gives your team a clear picture of your security posture, and the opportunity to mitigate the greatest threats first before moving on to less risky ones.

3. Stay Compliant With Security Standards and Regulations

Regular penetration testing can help you to comply with security standards and regulations such as ISO 27001 and PCI.  These standards require company managers and system owners to conduct regular penetration tests and security audits to demonstrate ongoing due diligence and maintenance of required security controls. Not only does pen testing identify potential vulnerabilities, ensuring that you are protecting your customers and assets, but it also helps to avoid costly fines and fees connected with non-compliance. 

4. Reduce Financial Losses and Downtime

Recent studies have reported that the average financial impact of a major data breach in Australia is around $3.7million per incident.  This takes into account expenditures on customer data protection programs, regulatory fines, and loss of revenue due to business operability.  System downtime is incredibly costly – the longer your system is down, the more exorbitant the cost.  A penetration test is a proactive solution to highlight and fix your system’s most critical vulnerabilities, and ensure your team are ready to act if your systems were to go down unexpectedly. 

5. Protect Your Reputation and Company Loyalty

Consumers are extremely quick to lose trust in companies and brands, and all it takes is one security breach or data leak to tarnish your reputation.  Customers and partners of your organisation want to know that their private data is safe in your hands, so it is in your best interest to be aware of any vulnerabilities which may put the company’s reputation and reliability in jeopardy.  

This is just a handful of reasons why organisations should carry out regular penetration tests, but there are many more.  Connect with JDS to discuss your pen testing needs and get a full scope of work customised to your requirements.

JDS and the GO Foundation

The Go Foundation is an inspiring organisation empowering young Indigenous Australians by providing scholarships from primary school through to University.

Co-founded by Adam Goodes and Michael O’Loughlin in 2009, the foundation offers mentoring, leadership, networks and support to GO students on their journey to employment.

JDS is immensely proud to have committed to donating $30k to the GO Foundation over the next three years.

It is an organisation that really resonates, as we recognise the vital importance of ensuring that all Australians have equal opportunity to participate socially, culturally and economically.

Extensive research has revealed that the completion of further education by Indigenous Australians can lead to increased earning capacity, greater employment opportunities, improved health and wellbeing outcomes, and reduced interaction with the justice system. The benefits that can come from Indigenous Australians going further beyond high school with their education can stretch beyond improving and enriching the lives of Indigenous communities – they can benefit everyone.

Positive enabling factors that are likely to increase Indigenous participation in further education include enhancing the quality of school experience for Indigenous students to ensure that culture is recognised, and the aspirations of each student is developed. Additionally, providing access to career advice and guidance, and information on the various choices and pathways available for Indigenous students is linked to increasing the quality of the school experience for Indigenous Australians.

The GO Foundation’s scholarship program provides financial assistance, tools and resources for Indigenous students to ensure their journey through school is rich and rewarding, and a broad range of career options, work experience and paid internships ensures the assistance continues well after the scholarship has ended.    

We hope that by dedicating our long-term support, we are contributing to generational change and opportunities for many students for many years to come.

JDS Security

We take a methodical, risk-based approach to security testing, monitoring, and management so you can be rest assured that your data and business assets are secure.  JDS uses proactive, detailed and industry-best practice threat intelligence to increase your organisations resilience against cyber threats.


Web Application Penetration Testing

Web application penetration testing at JDS is based on the industry-recognised Open Web Application Security Project (OWASP) Application Security Verification Standard. We take a methodical, risk-based approach to testing your applications, evaluating the security posture of your platform, enabling you to identify, eliminate and further prevent security risks within your critical business applications



API Penetration Testing

According to Gartner, in 2022, exploiting APIs will be the most common attack vector for data breaches within enterprise web applications. Our skilled JDS Security team will assess how your API’s could be abused, how authorisation and authentication could be bypassed, and a perform a number of tests in attempt to reveal any existing security vulnerabilities.



Security Monitoring

As a Splunk Elite Partner, JDS leverages our expertise to implement SIEM software Splunk Enterprise Security (Splunk ES) to monitor your organisation’s activities and meet your security audit and compliance requirements.

Network Penetration Testing

JDS can perform an in-depth security assessment of your corporate network perimeter (both internal & external) using automated tools and manual techniques. Our security professionals will emulate the methods that a malicious actor might use to attack your network, exploiting weaknesses in operating systems or networks, to gain access to your organisation’s secure data and “crown jewels”.




Cloud Security Compliance Audits

As more organisations migrate their sensitive information and services to cloud environments, it is critical to consider the impact on privacy, security and compliance efforts. The JDS Cloud Security Compliance Audit will provide essential insight into your cloud security for full regulatory compliance.



Vulnerability Management

JDS can assist with organising tedious and complex vulnerability findings to provide effective prioritisation and remediations for complete visibility of your network and infrastructure.


CREST (Intl) ACCREDITATION

CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security market.
After being independently assessed to demonstrate proficiency and compliance in the knowledge and delivery of Penetration Testing, JDS Australia has been recognised with Crest (International) accreditation.  
CREST requires a rigorous assessment of business processes, data security, and security testing framework to demonstrate a level of assurance that the information security methodologies used can competently and securely provide customers with a robust assessment of their cyber security posture. As a result, CREST only provides accreditation to highly trusted professional services organisations, and their employees who provide the often sensitive and high-risk penetration testing, cyber incident response, threat intelligence and security operations centre services.
Becoming a CREST accredited member company validates the level of confidence that customers will experience when working with JDS, a highly skilled and trustworthy Australian organisation.

Mastering Modal Dialog Boxes

Modal Dialog boxes are a great way to enhance the user experience and provide more detailed feedback to users than a default browser popup.

Recently, we had a challenging set of requirements from a customer. They needed a bunch of mandatory fields (easy enough with UI Policies) but there was a twist—they needed:

  • Fields that were mandatory ONLY if the person wanted to send the record for approval
  • Four fields but ONLY one of the four is mandatory (ie, put data in any one field and all four are good to go)
  • There had to be at least one record in a related list

Modal dialogs are awesome!

We developed a simple approval dialog box for a UI action to cater to these requirements. It’s a good example of how complex requirements can be distilled into a simple solution.

Have fun and happy coding!

Understanding your Customer Journeys in Salesforce with AppDynamics

The Problem

JDS Australia works with numerous customers who utilise the force.com platform as the primary interface for their end users (internal and external) to execute business critical services. The flexibility and extensibility of the component based Lightning framework has allowed businesses to customise the platform to meet their specific requirements.

However, many of these companies struggle to monitor, quantify or pinpoint the impact of performance in the Salesforce platform to their end users and ultimately their business. Furthermore, there is limited capability to provide detailed Salesforce information for root cause analysis (e.g. is the problem with a particular lightning component(s) vs core Salesforce platform vs multiple pages?).

The Solution

Using AppDynamics Real User Browser Monitoring (RUM) coupled with advanced JavaScript configuration, we have created a solution.

Unlike traditional methods involving logfile or API based monitoring; real user monitoring collects rich metrics from the end users’ perspective. JDS has also further integrated  additional custom code to identify AJAX requests and inject page names into the stream and provide business context and make sense of the data.

Dashboards provide Salesforce Performance at a glance

Additionally, AppDynamics RUM is able to identify and dynamically visualise each step of Customer Journeys as they traverse Salesforce, in near real time. 

Using the collated metrics these businesses have been able to proactively alert support teams of issues, and also utilise the historic data to analyse customer behaviour to understand how customers are using the platform. For example, expected user journeys vs actual user journeys.

AppDynamics RUM captures detailed diagnostic information to help triage issues, including:

  • Single Page Application performance
  • Page Component load details, 
  • AJAX requests, 
  • Detailed Error Snapshots
  • Dynamic Business Transaction Baselining (Normal vs Slow Performance)
  • User browser version and device type,
  • Geographic location of users,
  • Connection method (e.g. browser vs mobile), and device type. 

AppDynamics RUM can also provide direct correlation to AppDynamics APM agents to combine the ‘front-end’ and ‘back-end’ of these user sessions where Salesforce may traverse additional down-stream applications and infrastructure.

Why JDS?

As experts in Application Performance Management (APM) and Observability, JDS have extensive experience in helping our customers determine the root cause of performance issues.

Contact us at [email protected] to discuss how monitoring Salesforce can be used to understand your end users and make informed decisions with quantifiable metrics. 

5 Ways uberAgent Measures Your Employee Digital Experience

Measuring employee digital experience is a great way to assess how well your systems are performing. With the move to working from home there is now greater importance in making sure your IT services can support multiple device types and varying network conditions. This scenario is where uberAgent shines.

uberAgent is a user experience monitoring and endpoint security analytics product that integrates with your Splunk environment. uberAgent provides rich details on user experience whether they are on a Mac, PC, Surface, or virtual desktop like Citrix or VMware.

Here are 5 ways uberAgent can help you evaluate your employees’ end-user experience – and troubleshoot any issues.

Logon Monitoring

A logon is your first chance to make a good impression. No one likes to wait, so when users start to complain of slow logon times you need access to everyone’s details to understand what is going on. uberAgent for Splunk captures everything you will need, giving you everyone’s logon time, and where that time is being spent. You can review the details for a group of users, or drill-down to one specific user.

Logon time is broken down by the shell startup, group policy processing, profile loading, and group policy and AD logon scripts. You can compare users with different characteristics to help identify where time is being spent. If your group policy is taking too long for some users, you can drill down to see how much time each policy is taking. 

Logon Monitoring dashboard

Application Usage

Measuring the user experience of applications can benefit both application owners and end users. If users are reporting slow performance, it is important to understand what is happening on the system. Is performance poor due to the user’s memory or CPU? Is storage or bad network connectivity the issue? Could it be slow because of the many tabs open in their web browser? Or is the issue firmly with the application?

uberAgent will give you a clear picture of what is happening on each user’s device. Comparing all users can provide insights into how applications are performing throughout the day. You can view details about crashes, load times, memory/CPU/disk usage, network connectivity problems, and even understand how often the app freezes.

There are many other benefits to getting a full catalog of deployed applications. uberAgent tells you which applications are installed, and which of those are used. You can understand how many licenses will be needed for an application, and plan purchases and upgrades around usage.

Application Performance dashboard

Network Monitoring

A user’s internet connection can play a large role in the perceived performance of applications.  When users are working remotely, they may not always have access to high-speed internet connections. With uberAgent’s network monitoring capability you can easily see how much data is being transferred, to where, and exactly how long that took. Built in dashboards can show you connectivity issues broken down by user or application. You can separate latency issues in Citrix sessions and latency in Citrix hosted applications, helping identify if the user’s connection or an issue at the data centre is the cause.

Network Communications dashboard

Browser Application Experience

With the shift to cloud and web-based UIs, it is important to include web application performance in measuring overall user experience. With plugins for Internet Explorer, Firefox, and Chrome, uberAgent can delve into the browser experience without needing any code changes to the monitored apps.

Details about page load times, render time, network communications, errors, and more are available by application or web page. Measure the performance of web-based apps whether they are hosted internally or available in the cloud.

The light-weight plugin is a trusted solution with over 600,000 downloads in the Chrome store.

Browser App Performance dashboard

Experience Score Dashboard

Individual metrics are useful for troubleshooting individual issues. To get a clear picture of the overall user experience, uberAgent creates a single user experience score. The experience score is a single view that shows the current and past status of all devices, applications, and users monitored by uberAgent. It allows for proactive monitoring of your environment, reducing downtimes and costs.

The trend of this score can let you know how the user experience is going, and allow you to compare scores across different days, users, or applications.

The experience score dashboard calculates and visualises experience scores for the entire userbase, breaking the data down by category and component, highlighting components where potential issues are originating from. The dashboard also provides quick access to important KPIs like logon duration, application responsiveness, and application errors.

Experience Score dashboard

These five benefits are just the start – uberAgent has many more features built in. With the flexibility of the Splunk platform you can even extend the dashboards, alerts, and reports to suit your own requirements.

JDS has extensive experience successfully configuring uberAgent for our customers. JDS is a gold partner of uberAgent, so we can install, configure, and provide you with licenses. If you would like to take advantage of the impressive user experience monitoring capability of uberAgent, get in touch with JDS today.

Implementing Salesforce monitoring in Splunk

The problem

A JDS customer embarked on a project to implement Salesforce to provide their users a single user interface to fulfil their customer needs.  Their aim, to make the interface easy to use and reduce the time to process customer requests.  At the same time, the business had to ensure that their customer data stored in Salesforce was secure and to be able to detect any malicious use.

The Solution

Implementing Splunk with the Splunk Add-on for Salesforce enabled the collection of logs and objects from Salesforce using REST APIs.  This in turn, enabled proactive alerting and the creation of informative dashboards and reports to satisfy the business’ security requirements.

Scenarios detected:

  • Failed or unusual login attempts (same user tries to login from multiple IP addresses)
  • Large amounts of data extracted from Salesforce
  • Unauthorised changes in Salesforce configuration such as Connected Apps settings or Authentication Provider settings
  • Integration user account activity occurring outside of scheduled job runs
  • Privileged user activity
  • Apex code execution

All of this was achieved by setting up the required data inputs via the Splunk Add-on.  Creating lookups to enhance the alert content with meaningful information and macros for re-usability and ease of administration, then adding alerts to ensure the required conditions were notified to the operational support teams.

Splunk dashboards and reports built on Salesforce data allowed the business to easily view login patterns and analyse EventLog events and Setup Audit Trail changes.  Additionally, Salesforce data ingestion and alert summary dashboards were added to assist the support team to identify issues or delays in data ingestion as well as review the number of alerts being generated over time.

When developing any application that provides access to secure information, it’s important to not only monitor in terms of user experience, but also look at security aspects. Our customer was able to satisfy the security monitoring requirements of the business with the Splunk Add-on for Salesforce and achieved their go-live target date. The configured alerts will keep them informed of any potential security issues, giving them confidence that the platform is secure. The accompanying dashboards provide an intuitive summary of user actions, all backed by an extended data retention policy in Splunk to satisfy regulatory compliance. With SalesForce data now available in Splunk, they are planning additional use cases to not only monitor security, but get insights into how the platform is used by employees.

Why choose JDS?

JDS has experience and expertise in bringing SalesForce application data into Splunk . If your focus is on security, performance, or custom monitoring, speak to JDS today about how we can convert your SalesForce data into useful insights.

Virtual Agent: Understanding The Limitations Of LITE

Understanding the difference between Virtual Agent LITE and the full Virtual Agent offering is a must when planning your organisation’s Virtual Agent journey.

The following matrix will help you to understand the benefits of the Virtual Agent LITE product as a starting point, whilst clearly highlighting the immense value that can be realised in proceeding with the full Virtual Agent offering.

Want to know more? We’d love to hear from you via [email protected] or 1300 780 432.

ServiceNow & ReactJS

Technology Background

Like any enterprise platform, ServiceNow has a complex relationship with its underlying architecture. Originally, ServiceNow was built on Java using Jelly XML for server-side component rendering. For its time, this approach was cutting edge.

As the Internet matured and social media ramped up, Google developed a clever client/server binding language called AngularJS that allowed for dynamic HTML pages to be rendered. ServiceNow adopted this only to have Google discontinue AngularJS in its original form. ServiceNow’s implementation of AngularJS as found in the Service Portal is world-class, but unfortunately, the underlying technology is no longer actively supported.

At this point, the architects at ServiceNow sat back and took a long hard look at emerging technologies and trends among the tech giants. It would be fair to say they were once bitten, twice shy. In developing their Agent Workspace UI, ServiceNow settled on using ReactJS (with GraphQL for data management) because of its broad scale adoption across the industry.

ReactJS is used by Facebook, Instagram, Netflix, WhatsApp and Dropbox to name a few, so ServiceNow are on safe ground with this technology.

Implementing ReactJS In ServiceNow

Whereas with AngularJS, ServiceNow provided an online IDE for widget development, at the moment the only way to build a ReactJS application for ServiceNow is to work offline. Once built, your ReactJS file can be deployed to ServiceNow as a packaged application.

There are pros and cons to this approach. On the positive side, ReactJS applications can be deployed with little to no overhead from ServiceNow, making them astonishingly fast and scalable. The only con is you need your own Node JS environment and ReactJS development platform.

Why Use ReactJS?

Why would anyone develop a ServiceNow application with ReactJS?

The answer is:

• ReactJS is an industry standard and so there is a vast pool of experienced web developers to draw upon
• ServiceNow provides a highly-scalable platform for ReactJS
• ServiceNow has built-in granular data security and APIs to manage data access
• ServiceNow is extremely efficient at workflow management and integration supporting ReactJS

Rather than building and managing a full-stack service platform for a ReactJS app, your app can be deployed quickly and easily through ServiceNow. Given the amount of effort and due-diligence required to operate a full-stack service at an enterprise level, ServiceNow provides a convenient shortcut.

When it comes to ReactJS, ServiceNow is effectively operating as PaaS (Platform as a Service). Think of your ReactJS app as a beautifully designed architectural home. ServiceNow allows you to position it as a penthouse suite without the need to worry about the rest of the building beneath it.

Creating A ReactJS Application

We’re going to create a nice simple ReactJS application listing contact details.

I recommend using the Code Sandbox for ReactJS applications as it is easy to use and provides an instant preview of your work.

To keep things simple, I’m going to use the ServiceNow REST API for Tables as my data access point.

Once you’ve signed into the Code Sandbox you’ll be assigned to one of their temporary virtual servers. The first time you run the code below it will fail because of cross-origin resource sharing restrictions (CORS).

If you look at the console log, you’ll find your temporary virtual server name. From there, you can set up a CORS exception that will allow access to your instance. Once that is in place, the application will work properly.

Without getting into too much detail, about how ReactJS works, we’re going to set up two files, our core Apps.js and contacts.js. We’re going to create a new folder called components to hold our contacts.js template.

Notice how when I hover over the line src folder in the Code Sandbox I get options for a new directory and a new file. This is how I added /components/contacts.js

Let’s look at the code used to retrieve contacts from ServiceNow and display them using ReactJS.

App.js

import React, { Component } from "react";
import Contacts from "./components/contacts";

class App extends Component {
  render() {
    return <Contacts contacts={this.state.contacts} />;
  }

  state = {
    contacts: []
  };

  componentDidMount() {   
    //this is a sample web service you can test with
    //fetch('https://jsonplaceholder.typicode.com/users',{
    fetch(
      "https://{your-instance}.service-now.com/api/now/table/sys_user?sysparm_query=emailENDSWITH{your-email-suffix}",
      {
        withCredentials: true,
        credentials: "include"
      }
    )
      .then((res) => res.json())
      .then((data) => {
        console.log(data);
        this.setState({ contacts: data.result });
      })
      .catch(console.log);
  }
}

export default App;

As you can see, our Apps.js file refers to /components/contacts to get an HTML/ReactJS template. It also includes a simple REST call (fetch) that uses the ServiceNow Table API to retrieve information from ServiceNow.

To get this example to work, you’ll have to replace…

  • {your-instance} with your ServiceNow instance name
  • {your-email-suffix} with your organisation’s email suffix (ie, gmail.com, etc)


contact.js is our HTML/ReactJS template. It takes the data retrieved from the fetch and formats it for display. It’s pretty straight-forward and intuitive to read.

contact.js

import React from "react";

const Contacts = ({ contacts }) => {
  return (
    <div>
      <center>
        <h1>Contact List</h1>
      </center>
      {contacts.map((contact) => (
        <div class="card">
          <div class="card-body">
            <h4 class="card-title">{contact.name}</h4>
            <h5 class="card-subtitle mb-2 text-muted">
              Email: {contact.email}
            </h5>
            <h6 class="card-text">UserID: {contact.user_name}</h6>
          </div>
        </div>
      ))}
    </div>
  );
};

export default Contacts;

That’s it.

That’s a ReactJS application.

At this point, your ReactJS application should work. If it doesn’t, look carefully at the console log in your browser and check you’ve completed the steps listed above.

Deploying A ReactJS Application

ReactJS applications need to be packaged and deployed.

Code Sandbox integrates with Netlify to provide online packaging and deployment.

The deployment may take a few minutes.

Make sure you have a Netlify account (I use my GitHub account for all of these services so everything is centralized)

Once you’ve signed into Netlify, Click on the little download arrow to get your package ready for deployment to ServiceNow.

Deploying on ServiceNow is simple enough, but it is a little bit of a hack.

This advice may change over time as ServiceNow develops its offering further, but the sanctioned approach at the moment is to deploy ReactJS as stylesheets.

The reason for this is style sheets are resources that can be accessed without authentication. In essence, you separate your JS and CSS into different stylesheets and then reference them from an HTML page (such as a UI page or a portal widget). So long as ReactJS is listed as a dependency for that page, it’ll load in the background, recognize your React JS in the stylesheet and run accordingly.

For more detail on ReactJS deployment in ServiceNow, please refer to:


Have fun and happy coding!

ServiceNow Safe Workplace Suite

 

As Australia continues to establish it’s new COVID normal, the time has never been better to consider the utilization of ServiceNow’s Safe Workplace Application suite.

With JDS expertise on the Now Platform, you can set up a Health application for your employees in a fraction of the time a traditional Health & Safety solution would take to configure!

By using your existing data and business workflows, JDS can create a user-friendly experience that will help your organisation monitor the safety of your employee, visitors and your workplace as a whole.

Consumers of these services will marvel at its ease-of-use, while key stakeholders and managers will have immediate visibility into your organisation’s key return-to-work metrics through the platform’s reporting & dashboarding capabilities.

As an ELITE ServiceNow Sales & Services Partner (one of only four local elites in the ANZ region), JDS works with our customers to automate and innovate deliver across all lines of business, with the Safe Workplace Suite being no exception!

To learn more, contact our team today on 1300 780 432, or email [email protected].

Working With ACLs In ServiceNow

 

ACLs or Access Control Lists are the process by which ServiceNow provides granular security for its data and can be applied to individual records, as well as fields within those records.

When working with ACLs, it is extremely important to note that the order in which an ACL definition is evaluated has performance implications.

These are:

  1. Roles
  2. Criteria
  3. Script

 

ROLES: FASTEST

Roles will evaluate extremely fast as they are cached in server memory, so using roles is always highly recommended.

CRITERIA: FAST

Conditions are based on values in the current record and will evaluate quickly, but only after the role has been checked.

Although you can have complex criteria using dot-walking (“Show related records”) these will incur a performance overhead as ServiceNow needs to load the related records.

In this example, the criteria is based on the company of the assigned person for that record, requiring ServiceNow to load TWO additional records to evaluate.

Remember, performance does not scale in a linear fashion.

Although criteria like this may seem blisteringly fast when looking at a single record in a development environment, it will be much slower in production as lots of people access records—and particularly if it is applied to a READ rule in a list view as the criteria has to evaluate for each and every individual row being displayed (multiplying the performance overhead).


SCRIPT: SLOWEST

Although slowest here is a relative term, ACL scripts will evaluate at least slightly slower than ACL roles and ACL criteria for a number of reasons.

Scripts are often needed in ACLs, but they should always be carefully considered for performance implications.

The best practice with scripts is to have them shielded by roles and criteria. In this way, the script won’t even run unless the ACL first matches the role and then matches the criteria, potentially sidestepping a performance overhead before it occurs.

Consider the following two ACLs. Technically, they’re identical, but one will run considerably faster than the other.

Even though they’re technically identical, the second ACL will be slower because:

  • The script will be run for ALL users and not just those that have the ITIL role
  • The script will run on ALL records not just those that are active
  • ServiceNow’s JAVA layer has to invoke a Rhino Javascript engine to evaluate this script

Ideally, scripts should only be used on ACLs that already have roles and criteria to ensure they’re only running when absolutely necessary.

ServiceNow is optimised to run ACLs extremely fast, but they can introduce a performance overhead on large instances with millions of records.

JDS is experienced in optimizing ACLs and can use a variety of methods to drastically improve ACL performance. For more information, reach out to the JDS ServiceNow team.

To learn more, contact our team today on 1300 780 432, or email [email protected].