Blog

JDS Australia Named 2022 Splunk APAC Services Partner of the Year

News, SplunkKelly Cooke

JDS Australia announced today it has received the 2022 APAC Services Partner of the Year for exceptional performance and commitment to Splunk’s Partnerverse. The APAC Services Partner of the Year award recognizes an APAC Splunk partner that is actively engaged in services implementations, in addition to having a strong commitment to training and certification of their organisation.   

“We’re thrilled to be awarded the 2022 APAC Services Partner of the Year.  I’m so proud of our team for the recognition, as it is a clear demonstration of their tireless commitment to being the most knowledgable and experienced Splunk partner in the region,” said Brian Grant, JDS Splunk General Manager. “We value our ongoing partnership with Splunk and look forward to another successful year of collaboration.”

“Congratulations to JDS Australia for being named the 2022 APAC Services Partner of the Year,” said Bill Hustad, Vice President of Alliances and Channel Ecosystems Splunk. “The 2022 Splunk Global Partner Awards recognize outstanding partners like JDS that drive positive business outcomes, as well as help our joint customers leverage Splunk to solve their challenges. Additionally, JDS works in collaboration with Splunk and shares our customer-first mentality.”

The Splunk Global Partner Awards recognize partners of the Splunk ecosystem for industry-leading business practices and dedication to constant collaboration. All award recipients were selected by a group of the Splunk executives, theater leaders and the global partner organisation. 

What It Means To Be CREST (Intl) Accredited

Blog, JDSSecurity, News, Secure, TestKelly Cooke

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider.  These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information.  The individuals employed by these companies may have no demonstrable skill, knowledge or competence in the provision of security testing.

CREST is an International not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST requires a rigorous assessment of business processes, data security and security testing framework to demonstrate a level of assurance that the information security methodologies used can competently and securely provide customers with a robust assessment of their cyber security posture.

As a result, CREST only provides accreditation to highly trusted professional services organisations, and their employees who provide the often sensitive and high-risk penetration testing, cyber incident response, threat intelligence and security operations centre services.

All CREST accredited member companies are required to submit policies, processes and procedures relating to their service provision to provide added assurance for the buying community.  These policies, processes and procedures include:

  • References for certified individuals
  • Assignment preparation and scope processes
  • Assignment execution processes
  • Technical methodology
  • Reporting templates
  • Data storage and Information Sharing policies
  • Post technical delivery methodologies
  • Asset/Information/Document storage, retention and destruction processes

The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff.  CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they employ.

JDS is a proud CREST (Intl) accredited member company who can confidently provide our customers the added reassurance that our services meet the highest professional and security standards.

Five Reasons Why Your Organisation Should Be Penetration Testing

Blog, JDSSecurity, Secure, Tech Tips, TestKelly Cooke

Modern businesses require an advanced approach to security and due diligence.  Having anti-virus software and a firewall is no longer an efficient strategy to prevent highly sophisticated security attacks which can result in irreversible damage to your organisation.

A professional penetration testing service is the best way to identify the strengths, weaknesses and holes in your defences.  Read on to uncover the five best reasons why your organisation needs penetration testing.

1. Protect Your Organisation From Cyber Attacks

Reports of cyber crime within Australia have increased nearly 15% each year since 2019, with the average reported financial loss per successful cybercrime incident being $50,673. Regardless of your organisational size or sector, cyber criminals view every business as a potentially exploitable prospect. The internet is continuously being scanned in search of vulnerable systems.  Carrying out penetration tests will enable you to identify vulnerabilities that are most likely to be exploited, determine what the potential impact could be, and enable you to implement measures to mitigate or eliminate the threat.     

2. Identify and Prioritise Vulnerabilities

Put simply, a pen test will uncover all of the potential threats and vulnerabilities that could damage your organisation’s IT assets.  The resulting report prioritises these vulnerabilities from low to critical, and further categorises them by likelihood and impact.  This gives your team a clear picture of your security posture, and the opportunity to mitigate the greatest threats first before moving on to less risky ones.

3. Stay Compliant With Security Standards and Regulations

Regular penetration testing can help you to comply with security standards and regulations such as ISO 27001 and PCI.  These standards require company managers and system owners to conduct regular penetration tests and security audits to demonstrate ongoing due diligence and maintenance of required security controls. Not only does pen testing identify potential vulnerabilities, ensuring that you are protecting your customers and assets, but it also helps to avoid costly fines and fees connected with non-compliance. 

4. Reduce Financial Losses and Downtime

Recent studies have reported that the average financial impact of a major data breach in Australia is around $3.7million per incident.  This takes into account expenditures on customer data protection programs, regulatory fines, and loss of revenue due to business operability.  System downtime is incredibly costly – the longer your system is down, the more exorbitant the cost.  A penetration test is a proactive solution to highlight and fix your system’s most critical vulnerabilities, and ensure your team are ready to act if your systems were to go down unexpectedly. 

5. Protect Your Reputation and Company Loyalty

Consumers are extremely quick to lose trust in companies and brands, and all it takes is one security breach or data leak to tarnish your reputation.  Customers and partners of your organisation want to know that their private data is safe in your hands, so it is in your best interest to be aware of any vulnerabilities which may put the company’s reputation and reliability in jeopardy.  

This is just a handful of reasons why organisations should carry out regular penetration tests, but there are many more.  Connect with JDS to discuss your pen testing needs and get a full scope of work customised to your requirements.

JDS and the GO Foundation

AppDynamics, Atlassian, Big Picture, JDS People, JDSSecurity, New Relic, News, ServiceNow, SplunkKelly Cooke

The Go Foundation is an inspiring organisation empowering young Indigenous Australians by providing scholarships from primary school through to University.

Co-founded by Adam Goodes and Michael O’Loughlin in 2009, the foundation offers mentoring, leadership, networks and support to GO students on their journey to employment.

JDS is immensely proud to have committed to donating $30k to the GO Foundation over the next three years.

It is an organisation that really resonates, as we recognise the vital importance of ensuring that all Australians have equal opportunity to participate socially, culturally and economically.

Extensive research has revealed that the completion of further education by Indigenous Australians can lead to increased earning capacity, greater employment opportunities, improved health and wellbeing outcomes, and reduced interaction with the justice system. The benefits that can come from Indigenous Australians going further beyond high school with their education can stretch beyond improving and enriching the lives of Indigenous communities – they can benefit everyone.

Positive enabling factors that are likely to increase Indigenous participation in further education include enhancing the quality of school experience for Indigenous students to ensure that culture is recognised, and the aspirations of each student is developed. Additionally, providing access to career advice and guidance, and information on the various choices and pathways available for Indigenous students is linked to increasing the quality of the school experience for Indigenous Australians.

The GO Foundation’s scholarship program provides financial assistance, tools and resources for Indigenous students to ensure their journey through school is rich and rewarding, and a broad range of career options, work experience and paid internships ensures the assistance continues well after the scholarship has ended.    

We hope that by dedicating our long-term support, we are contributing to generational change and opportunities for many students for many years to come.

Mastering Modal Dialog Boxes

Blog, ServiceNow, Tech TipsKelly Cooke

Modal Dialog boxes are a great way to enhance the user experience and provide more detailed feedback to users than a default browser popup.

Recently, we had a challenging set of requirements from a customer. They needed a bunch of mandatory fields (easy enough with UI Policies) but there was a twist—they needed:

  • Fields that were mandatory ONLY if the person wanted to send the record for approval
  • Four fields but ONLY one of the four is mandatory (ie, put data in any one field and all four are good to go)
  • There had to be at least one record in a related list

Modal dialogs are awesome!

We developed a simple approval dialog box for a UI action to cater to these requirements. It’s a good example of how complex requirements can be distilled into a simple solution.

Have fun and happy coding!

Understanding your Customer Journeys in Salesforce with AppDynamics

AppDynamics, Blog, Tech TipsJDS

The Problem

JDS Australia works with numerous customers who utilise the force.com platform as the primary interface for their end users (internal and external) to execute business critical services. The flexibility and extensibility of the component based Lightning framework has allowed businesses to customise the platform to meet their specific requirements.

However, many of these companies struggle to monitor, quantify or pinpoint the impact of performance in the Salesforce platform to their end users and ultimately their business. Furthermore, there is limited capability to provide detailed Salesforce information for root cause analysis (e.g. is the problem with a particular lightning component(s) vs core Salesforce platform vs multiple pages?).

The Solution

Using AppDynamics Real User Browser Monitoring (RUM) coupled with advanced JavaScript configuration, we have created a solution.

Unlike traditional methods involving logfile or API based monitoring; real user monitoring collects rich metrics from the end users’ perspective. JDS has also further integrated  additional custom code to identify AJAX requests and inject page names into the stream and provide business context and make sense of the data.

Dashboards provide Salesforce Performance at a glance

Additionally, AppDynamics RUM is able to identify and dynamically visualise each step of Customer Journeys as they traverse Salesforce, in near real time. 

Using the collated metrics these businesses have been able to proactively alert support teams of issues, and also utilise the historic data to analyse customer behaviour to understand how customers are using the platform. For example, expected user journeys vs actual user journeys.

AppDynamics RUM captures detailed diagnostic information to help triage issues, including:

  • Single Page Application performance
  • Page Component load details, 
  • AJAX requests, 
  • Detailed Error Snapshots
  • Dynamic Business Transaction Baselining (Normal vs Slow Performance)
  • User browser version and device type,
  • Geographic location of users,
  • Connection method (e.g. browser vs mobile), and device type. 

AppDynamics RUM can also provide direct correlation to AppDynamics APM agents to combine the ‘front-end’ and ‘back-end’ of these user sessions where Salesforce may traverse additional down-stream applications and infrastructure.

Why JDS?

As experts in Application Performance Management (APM) and Observability, JDS have extensive experience in helping our customers determine the root cause of performance issues.

Contact us at [email protected] to discuss how monitoring Salesforce can be used to understand your end users and make informed decisions with quantifiable metrics. 

5 Ways uberAgent Measures Your Employee Digital Experience

Blog, SplunkKelly Cooke

Measuring employee digital experience is a great way to assess how well your systems are performing. With the move to working from home there is now greater importance in making sure your IT services can support multiple device types and varying network conditions. This scenario is where uberAgent shines.

uberAgent is a user experience monitoring and endpoint security analytics product that integrates with your Splunk environment. uberAgent provides rich details on user experience whether they are on a Mac, PC, Surface, or virtual desktop like Citrix or VMware.

Here are 5 ways uberAgent can help you evaluate your employees’ end-user experience – and troubleshoot any issues.

Logon Monitoring

A logon is your first chance to make a good impression. No one likes to wait, so when users start to complain of slow logon times you need access to everyone’s details to understand what is going on. uberAgent for Splunk captures everything you will need, giving you everyone’s logon time, and where that time is being spent. You can review the details for a group of users, or drill-down to one specific user.

Logon time is broken down by the shell startup, group policy processing, profile loading, and group policy and AD logon scripts. You can compare users with different characteristics to help identify where time is being spent. If your group policy is taking too long for some users, you can drill down to see how much time each policy is taking. 

Logon Monitoring dashboard

Application Usage

Measuring the user experience of applications can benefit both application owners and end users. If users are reporting slow performance, it is important to understand what is happening on the system. Is performance poor due to the user’s memory or CPU? Is storage or bad network connectivity the issue? Could it be slow because of the many tabs open in their web browser? Or is the issue firmly with the application?

uberAgent will give you a clear picture of what is happening on each user’s device. Comparing all users can provide insights into how applications are performing throughout the day. You can view details about crashes, load times, memory/CPU/disk usage, network connectivity problems, and even understand how often the app freezes.

There are many other benefits to getting a full catalog of deployed applications. uberAgent tells you which applications are installed, and which of those are used. You can understand how many licenses will be needed for an application, and plan purchases and upgrades around usage.

Application Performance dashboard

Network Monitoring

A user’s internet connection can play a large role in the perceived performance of applications.  When users are working remotely, they may not always have access to high-speed internet connections. With uberAgent’s network monitoring capability you can easily see how much data is being transferred, to where, and exactly how long that took. Built in dashboards can show you connectivity issues broken down by user or application. You can separate latency issues in Citrix sessions and latency in Citrix hosted applications, helping identify if the user’s connection or an issue at the data centre is the cause.

Network Communications dashboard

Browser Application Experience

With the shift to cloud and web-based UIs, it is important to include web application performance in measuring overall user experience. With plugins for Internet Explorer, Firefox, and Chrome, uberAgent can delve into the browser experience without needing any code changes to the monitored apps.

Details about page load times, render time, network communications, errors, and more are available by application or web page. Measure the performance of web-based apps whether they are hosted internally or available in the cloud.

The light-weight plugin is a trusted solution with over 600,000 downloads in the Chrome store.

Browser App Performance dashboard

Experience Score Dashboard

Individual metrics are useful for troubleshooting individual issues. To get a clear picture of the overall user experience, uberAgent creates a single user experience score. The experience score is a single view that shows the current and past status of all devices, applications, and users monitored by uberAgent. It allows for proactive monitoring of your environment, reducing downtimes and costs.

The trend of this score can let you know how the user experience is going, and allow you to compare scores across different days, users, or applications.

The experience score dashboard calculates and visualises experience scores for the entire userbase, breaking the data down by category and component, highlighting components where potential issues are originating from. The dashboard also provides quick access to important KPIs like logon duration, application responsiveness, and application errors.

Experience Score dashboard

These five benefits are just the start – uberAgent has many more features built in. With the flexibility of the Splunk platform you can even extend the dashboards, alerts, and reports to suit your own requirements.

JDS has extensive experience successfully configuring uberAgent for our customers. JDS is a gold partner of uberAgent, so we can install, configure, and provide you with licenses. If you would like to take advantage of the impressive user experience monitoring capability of uberAgent, get in touch with JDS today.

Implementing Salesforce monitoring in Splunk

Blog, Splunk, Tech TipsKelly Cooke

The problem

A JDS customer embarked on a project to implement Salesforce to provide their users a single user interface to fulfil their customer needs.  Their aim, to make the interface easy to use and reduce the time to process customer requests.  At the same time, the business had to ensure that their customer data stored in Salesforce was secure and to be able to detect any malicious use.

The Solution

Implementing Splunk with the Splunk Add-on for Salesforce enabled the collection of logs and objects from Salesforce using REST APIs.  This in turn, enabled proactive alerting and the creation of informative dashboards and reports to satisfy the business’ security requirements.

Scenarios detected:

  • Failed or unusual login attempts (same user tries to login from multiple IP addresses)
  • Large amounts of data extracted from Salesforce
  • Unauthorised changes in Salesforce configuration such as Connected Apps settings or Authentication Provider settings
  • Integration user account activity occurring outside of scheduled job runs
  • Privileged user activity
  • Apex code execution

All of this was achieved by setting up the required data inputs via the Splunk Add-on.  Creating lookups to enhance the alert content with meaningful information and macros for re-usability and ease of administration, then adding alerts to ensure the required conditions were notified to the operational support teams.

Splunk dashboards and reports built on Salesforce data allowed the business to easily view login patterns and analyse EventLog events and Setup Audit Trail changes.  Additionally, Salesforce data ingestion and alert summary dashboards were added to assist the support team to identify issues or delays in data ingestion as well as review the number of alerts being generated over time.

When developing any application that provides access to secure information, it’s important to not only monitor in terms of user experience, but also look at security aspects. Our customer was able to satisfy the security monitoring requirements of the business with the Splunk Add-on for Salesforce and achieved their go-live target date. The configured alerts will keep them informed of any potential security issues, giving them confidence that the platform is secure. The accompanying dashboards provide an intuitive summary of user actions, all backed by an extended data retention policy in Splunk to satisfy regulatory compliance. With SalesForce data now available in Splunk, they are planning additional use cases to not only monitor security, but get insights into how the platform is used by employees.

Why choose JDS?

JDS has experience and expertise in bringing SalesForce application data into Splunk . If your focus is on security, performance, or custom monitoring, speak to JDS today about how we can convert your SalesForce data into useful insights.

Virtual Agent: Understanding The Limitations Of LITE

Blog, ServiceNowKelly Cooke

Understanding the difference between Virtual Agent LITE and the full Virtual Agent offering is a must when planning your organisation’s Virtual Agent journey.

The following matrix will help you to understand the benefits of the Virtual Agent LITE product as a starting point, whilst clearly highlighting the immense value that can be realised in proceeding with the full Virtual Agent offering.

Want to know more? We’d love to hear from you via [email protected] or 1300 780 432.

ServiceNow & ReactJS

Blog, ServiceNowJDS

Technology Background

Like any enterprise platform, ServiceNow has a complex relationship with its underlying architecture. Originally, ServiceNow was built on Java using Jelly XML for server-side component rendering. For its time, this approach was cutting edge.

As the Internet matured and social media ramped up, Google developed a clever client/server binding language called AngularJS that allowed for dynamic HTML pages to be rendered. ServiceNow adopted this only to have Google discontinue AngularJS in its original form. ServiceNow’s implementation of AngularJS as found in the Service Portal is world-class, but unfortunately, the underlying technology is no longer actively supported.

At this point, the architects at ServiceNow sat back and took a long hard look at emerging technologies and trends among the tech giants. It would be fair to say they were once bitten, twice shy. In developing their Agent Workspace UI, ServiceNow settled on using ReactJS (with GraphQL for data management) because of its broad scale adoption across the industry.

ReactJS is used by Facebook, Instagram, Netflix, WhatsApp and Dropbox to name a few, so ServiceNow are on safe ground with this technology.

Implementing ReactJS In ServiceNow

Whereas with AngularJS, ServiceNow provided an online IDE for widget development, at the moment the only way to build a ReactJS application for ServiceNow is to work offline. Once built, your ReactJS file can be deployed to ServiceNow as a packaged application.

There are pros and cons to this approach. On the positive side, ReactJS applications can be deployed with little to no overhead from ServiceNow, making them astonishingly fast and scalable. The only con is you need your own Node JS environment and ReactJS development platform.

Why Use ReactJS?

Why would anyone develop a ServiceNow application with ReactJS?

The answer is:

• ReactJS is an industry standard and so there is a vast pool of experienced web developers to draw upon
• ServiceNow provides a highly-scalable platform for ReactJS
• ServiceNow has built-in granular data security and APIs to manage data access
• ServiceNow is extremely efficient at workflow management and integration supporting ReactJS

Rather than building and managing a full-stack service platform for a ReactJS app, your app can be deployed quickly and easily through ServiceNow. Given the amount of effort and due-diligence required to operate a full-stack service at an enterprise level, ServiceNow provides a convenient shortcut.

When it comes to ReactJS, ServiceNow is effectively operating as PaaS (Platform as a Service). Think of your ReactJS app as a beautifully designed architectural home. ServiceNow allows you to position it as a penthouse suite without the need to worry about the rest of the building beneath it.

Creating A ReactJS Application

We’re going to create a nice simple ReactJS application listing contact details.

I recommend using the Code Sandbox for ReactJS applications as it is easy to use and provides an instant preview of your work.

To keep things simple, I’m going to use the ServiceNow REST API for Tables as my data access point.

Once you’ve signed into the Code Sandbox you’ll be assigned to one of their temporary virtual servers. The first time you run the code below it will fail because of cross-origin resource sharing restrictions (CORS).

If you look at the console log, you’ll find your temporary virtual server name. From there, you can set up a CORS exception that will allow access to your instance. Once that is in place, the application will work properly.

Without getting into too much detail, about how ReactJS works, we’re going to set up two files, our core Apps.js and contacts.js. We’re going to create a new folder called components to hold our contacts.js template.

Notice how when I hover over the line src folder in the Code Sandbox I get options for a new directory and a new file. This is how I added /components/contacts.js

Let’s look at the code used to retrieve contacts from ServiceNow and display them using ReactJS.

App.js

import React, { Component } from "react";
import Contacts from "./components/contacts";

class App extends Component {
  render() {
    return <Contacts contacts={this.state.contacts} />;
  }

  state = {
    contacts: []
  };

  componentDidMount() {   
    //this is a sample web service you can test with
    //fetch('https://jsonplaceholder.typicode.com/users',{
    fetch(
      "https://{your-instance}.service-now.com/api/now/table/sys_user?sysparm_query=emailENDSWITH{your-email-suffix}",
      {
        withCredentials: true,
        credentials: "include"
      }
    )
      .then((res) => res.json())
      .then((data) => {
        console.log(data);
        this.setState({ contacts: data.result });
      })
      .catch(console.log);
  }
}

export default App;

As you can see, our Apps.js file refers to /components/contacts to get an HTML/ReactJS template. It also includes a simple REST call (fetch) that uses the ServiceNow Table API to retrieve information from ServiceNow.

To get this example to work, you’ll have to replace…

  • {your-instance} with your ServiceNow instance name
  • {your-email-suffix} with your organisation’s email suffix (ie, gmail.com, etc)


contact.js is our HTML/ReactJS template. It takes the data retrieved from the fetch and formats it for display. It’s pretty straight-forward and intuitive to read.

contact.js

import React from "react";

const Contacts = ({ contacts }) => {
  return (
    <div>
      <center>
        <h1>Contact List</h1>
      </center>
      {contacts.map((contact) => (
        <div class="card">
          <div class="card-body">
            <h4 class="card-title">{contact.name}</h4>
            <h5 class="card-subtitle mb-2 text-muted">
              Email: {contact.email}
            </h5>
            <h6 class="card-text">UserID: {contact.user_name}</h6>
          </div>
        </div>
      ))}
    </div>
  );
};

export default Contacts;

That’s it.

That’s a ReactJS application.

At this point, your ReactJS application should work. If it doesn’t, look carefully at the console log in your browser and check you’ve completed the steps listed above.

Deploying A ReactJS Application

ReactJS applications need to be packaged and deployed.

Code Sandbox integrates with Netlify to provide online packaging and deployment.

The deployment may take a few minutes.

Make sure you have a Netlify account (I use my GitHub account for all of these services so everything is centralized)

Once you’ve signed into Netlify, Click on the little download arrow to get your package ready for deployment to ServiceNow.

Deploying on ServiceNow is simple enough, but it is a little bit of a hack.

This advice may change over time as ServiceNow develops its offering further, but the sanctioned approach at the moment is to deploy ReactJS as stylesheets.

The reason for this is style sheets are resources that can be accessed without authentication. In essence, you separate your JS and CSS into different stylesheets and then reference them from an HTML page (such as a UI page or a portal widget). So long as ReactJS is listed as a dependency for that page, it’ll load in the background, recognize your React JS in the stylesheet and run accordingly.

For more detail on ReactJS deployment in ServiceNow, please refer to:


Have fun and happy coding!

Performance Testing of Large Scale National Sales Event Website

BlogJDS

Summary

JDS was engaged to performance test a National Sales Event at a very large scale in 2020. There are multiple events which happen throughout different periods of the year but this particular engagement was in preparation for the largest sales event of the year.

Test Scenario Approach and Modelling

Typical performance load tests would start off with a conservative ramp up followed by steady state. This can be seen in the image below.

This particular engagement called for a different kind of performance load test scenario which was very unique as it required two aggressive ramp ups across two different user groups (see image below).

The performance load test was also unlike any typical load tests as it required a large number of virtual users to be tested against (>100,000). Multiple approaches with available performance test tools were considered and the final call was to run the test via JMeter as it was cost effective and lightweight in terms of load generation resource utilisation.

Load Generation Infrastructure Approach

Load generator infrastructure was created via AWS EC2 as this allowed quick stand up and stand down of infrastructure which would allow easier management of load gen infrastructure cost.

One key approach to testing especially with the AWS load gen infrastructure was to test the load in increments. This allowed testing to be done in batches with different levels of load instead of trying to attempt the full load at the first or second attempt. By doing this, the cost of standing up and managing the load generation infrastructure will be much less.

Findings

During initial testing with a smaller load footprint, a performance bottleneck was identified. At about 1% of the expected load it was found that there was an issue when it came to user sign in. Users were then not allowed to log in and were thrown off the site. If this had happen during Go Live, the business would lose out on potential customers and the user confidence of the website would suffer and result in less customers in the future.

Once that was resolved it was also noted that response time performance across the client website improved once the application servers warmed up once load was introduced and further dropped when auto-scaling on the environment was triggered with the ramp up of load.

Server warm up can easily be executed prior to the site actually going live by introducing some artificial load on the live production site. This was something that the client had confirmed was already in place.

To learn more, contact our team today on 1300 780 432, or email [email protected].

Working With ACLs In ServiceNow

Blog, ServiceNowKelly Cooke

 

ACLs or Access Control Lists are the process by which ServiceNow provides granular security for its data and can be applied to individual records, as well as fields within those records.

When working with ACLs, it is extremely important to note that the order in which an ACL definition is evaluated has performance implications.

These are:

  1. Roles
  2. Criteria
  3. Script

 

ROLES: FASTEST

Roles will evaluate extremely fast as they are cached in server memory, so using roles is always highly recommended.

CRITERIA: FAST

Conditions are based on values in the current record and will evaluate quickly, but only after the role has been checked.

Although you can have complex criteria using dot-walking (“Show related records”) these will incur a performance overhead as ServiceNow needs to load the related records.

In this example, the criteria is based on the company of the assigned person for that record, requiring ServiceNow to load TWO additional records to evaluate.

Remember, performance does not scale in a linear fashion.

Although criteria like this may seem blisteringly fast when looking at a single record in a development environment, it will be much slower in production as lots of people access records—and particularly if it is applied to a READ rule in a list view as the criteria has to evaluate for each and every individual row being displayed (multiplying the performance overhead).


SCRIPT: SLOWEST

Although slowest here is a relative term, ACL scripts will evaluate at least slightly slower than ACL roles and ACL criteria for a number of reasons.

Scripts are often needed in ACLs, but they should always be carefully considered for performance implications.

The best practice with scripts is to have them shielded by roles and criteria. In this way, the script won’t even run unless the ACL first matches the role and then matches the criteria, potentially sidestepping a performance overhead before it occurs.

Consider the following two ACLs. Technically, they’re identical, but one will run considerably faster than the other.

Even though they’re technically identical, the second ACL will be slower because:

  • The script will be run for ALL users and not just those that have the ITIL role
  • The script will run on ALL records not just those that are active
  • ServiceNow’s JAVA layer has to invoke a Rhino Javascript engine to evaluate this script

Ideally, scripts should only be used on ACLs that already have roles and criteria to ensure they’re only running when absolutely necessary.

ServiceNow is optimised to run ACLs extremely fast, but they can introduce a performance overhead on large instances with millions of records.

JDS is experienced in optimizing ACLs and can use a variety of methods to drastically improve ACL performance. For more information, reach out to the JDS ServiceNow team.

To learn more, contact our team today on 1300 780 432, or email [email protected].

Copyright © 2025 JDS Australia - Powered by CosmosWP

JDS Australia is now an AC3 company.

Join us on the AC3 HomePage