Restricting access through ACLs, roles, GlideSystem security methods, and application scope protections.
This domain addresses securing ServiceNow applications through multiple layers of access control. Candidates must know how to restrict access to applications and application modules using roles and user criteria, manually and automatically create, test, and debug Access Control Lists (ACLs) for table, field, and record-level security. The domain also covers using GlideSystem methods to script security logic within business rules and other server-side scripts, and leveraging application scope to protect application artifacts from unauthorized modification. Understanding ACL evaluation order, debugging ACL failures, and implementing data policies for server-side field validation are essential skills. (20% of exam)
5 minutes
5 Questions
Security and Restricting Access in ServiceNow is a critical concept for Certified Application Developers, encompassing multiple layers of protection to safeguard data and functionality within the platform.
**Access Control Lists (ACLs):** ACLs are the primary mechanism for controlling access to tables, fields, and records. They define rules that determine who can read, write, create, or delete data. ACLs are evaluated in order from most specific (field-level) to least specific (table-level), and all matching ACLs must pass for access to be granted.
**Roles:** Roles are assigned to users and groups to control what they can access. ServiceNow uses role-based access control (RBAC), where roles like 'admin', 'itil', or custom roles determine permissions. Roles can be inherited through group membership and can contain other roles for hierarchical permission structures.
**User Authentication:** ServiceNow supports multiple authentication methods including local authentication, LDAP, SSO (Single Sign-On), Multi-Factor Authentication (MFA), and OAuth to verify user identities before granting platform access.
**Data Policies:** These enforce data constraints on records regardless of how data enters the system (UI, web services, import sets), ensuring mandatory fields and validation rules are consistently applied.
**Client-Side vs Server-Side Security:** Developers must implement security on the server side using Business Rules, ACLs, and Script Includes. Client-side scripts (Client Scripts, UI Policies) can be bypassed and should never be solely relied upon for security.
**Scripted Security:** GlideRecord queries automatically enforce ACLs when running in user scope. Developers can use methods like 'addEncodedQuery' and ensure proper access checks in Scripted REST APIs, Script Includes, and Business Rules.
**Application Scoping:** Application scope restricts cross-application access to tables, scripts, and resources, providing isolation between applications.
**Best Practices:** Always follow the principle of least privilege, avoid hardcoding credentials, use system properties for sensitive configurations, and leverage before-query Business Rules for row-level security. Testing with impersonation helps verify proper access restrictions.Security and Restricting Access in ServiceNow is a critical concept for Certified Application Developers, encompassing multiple layers of protection to safeguard data and functionality within the platform.
**Access Control Lists (ACLs):** ACLs are the primary mechanism for controlling access to ta…