Professional Documents
Culture Documents
Create
Read
Update
Delete
To create roles, select the Create Application File button in Studio. Select the file type Role and
click the Create button. Configure the role:
Assignable by: Role that can assign this role to users and groups.
Elevated privilege: Select this option to mark this role as required to elevate to high
security. Roles that require users to elevate to high security grant modification access to
the High Security Settings and allow the user to modify the Access Control List, directly
import XML files, and access the Scripts - Background module.
To assign a role to a User, use the Application Navigator in the main ServiceNow browser
window (not Studio) to open User Administration > Users.
Open a User record from the list. Scroll to the Roles section and select the Edit… button.
1. Select the role to add from the Collection slushbucket. NOTE: There can be thousands of
roles in the database. The slushbucket loads the first one hundred roles. If you don’t see
your role in the first one hundred roles, use the search field to locate the role.
3. Use the Add button ( ) to move the role to the Roles List.
Groups
A group is a set of users who share a common purpose. Groups may perform tasks such as
approving change requests, resolving incidents, receiving email notifications, or performing
work order tasks.
Groups are a shortcut way of assigning roles to users. Rather than adding a role individually
to each user, assign a role to a group. Group members have all of the roles assigned to a group.
To create groups, use the Application Navigator in the main ServiceNow browser window (not
Studio) to open User Administration > Groups. Click the New button. Configure the group:
Group email: Group email distribution list or the email address of the group’s point of
contact, such as the group manager.
Parent: Other group of which this group is a member. If a group has a parent, the child
group inherits the roles of the parent group. The members of the child group are not
members of the parent group.
After creating a group, switch to the Roles section. Click the Edit… button. Add roles to the
group using the slushbucket. Select the Save button after the role(s) have been added.
Switch to the Group Members section. Select the Edit… button. Add the desired users to the
Group Members List using the slushbucket. As with all slushbuckets, only the first one hundred
users are loaded into the slushbucket from the database. You may have to use the search field to
locate the users of interest. Select the Save button after all user(s) have been added.
The NeedIt Users group has one role and two members.
To add an application user role, open the application for editing in Studio. Open the File menu
and select the Settings menu item.
Access to Applications can also be set at the Application Menu level. In the Application
Navigator, open Navigation > Application Menus > <application name>.
In order for users with no role to see modules, both the module and the application menu must
have no role.
Modules
Access to modules in the Application Navigator is controlled by roles. Set a module’s Roles in
the Visibility section.
Use the Override application menu roles option to give module-level access to a role that is not
authorized to see the application. For example, assume the NeedIt menu requires the admin role
SURESH SNOW Page 6
and a module for the NeedIt application requires the approver_user role. The application-level
requirement supersedes the module-level requirement which means that users with the
approver_user role cannot see either the application or the module. If the Override application
menu roles option is selected, users with the approver_user role can see both the application and
the module even though the user is not authorized by role to see the application.
Tables
When creating tables in scoped applications, you must assign a role to the table. In the default
case, only users with the table’s role can create, read, update, and delete table records. Configure
the User role in the Controls section of the table form. You can dynamically create a new role or
assign an existing role.
Impersonating Users
Impersonation allows users with the admin role to temporarily become another
authenticated user for testing purposes. When impersonating another user, the admin user can
see and do exactly what the impersonated user can do. Impersonation does not require
knowing the user’s password.
Impersonation is done from the main ServiceNow browser window (not Studio). Open the User
menu by clicking your user name in the ServiceNow banner. Select the Impersonate User option.
Select the user from the drop-down list. ServiceNow reloads and you are now beth.anglin and
can test access as if you had logged in with Beth’s user name and password.
After testing, return to the admin user by impersonating again. Click on Beth Anglin in the
banner to open the User menu. Click Impersonate User. From the Recent Impersonations list
select System Administrator.
1. If the NeedIt application is not open in Studio from the last exercise, open it now.
a. In the main ServiceNow browser window use the Application Navigator to open System
Applications > Studio.
. Open the File menu and select the Settings menu item.
a. Scroll to the User role field. Does the field have a value?
. In the Application Explorer, open Navigation > Application Menus > NeedIt.
a. In the Visibility section, examine the Role field. Make a note of the module role.
b. Look at the Roles field for the Create New and Open modules. Are all the roles the same?
Create a Role
It is common for applications to have an application admin role in addition to an application user
role. Application admins have access to modules that users do not. In this part of the exercise
you will create an admin role for the NeedIt application.
1. Create a role.
b. In the Filter… field enter the text Role OR select Access Control from the categories in
the left hand pane.
c. Select Role in the middle pane as the file type then click the Create button.
Suffix: admin
Create Groups
a. In the main ServiceNow browser window (not Studio), use the Application Navigator to
open User Administration > Groups.
d. Click the Additional actions menu ( ) and select the Save menu item. Do not click
the Submit button because that will take you away from the form.
a. Type x in the search field to filter the roles. Only the first 100 roles are loaded into the
slushbucket. You will not see the NeedIt roles in the slushbucket unless you filter.
c. Click the Add button ( ) to add the role to the Roles list.
b. Use the slushbucket to add Beth Anglin and Zane Sulikowski to the NeedIt Users group.
. In the main ServiceNow browser window (not Studio), use the Application Navigator to
open User Administration > Groups.
Click the Additional actions menu ( ) and select the Save menu item. Do not click the
Submit button because that will take you away from the form.
QUESTION: There is already a role in the Roles section. Where did this role come from? If you
aren’t sure, scroll to the Answers section at the bottom of this page.
a. Type x in the search field to filter the roles. Only the first 100 roles are loaded into the
slushbucket. You will not see the NeedIt roles in the slushbucket unless you filter.
In the Group record, click the Update button to save the changes.
QUESTION: Why did you create the groups in the main ServiceNow browser window and not in
Studio? If you aren’t sure, scroll to the Answers section at the bottom of this page.
QUESTION: The roles from the NeedIt Users group were inherited by the NeedIt Admins group.
Were the NeedIt User group users also inherited? If you aren’t sure, scroll to the Answers section
at the bottom of this page.
a. In Studio, use the Application Explorer to open Navigation > Modules > Open for
editing.
f. In the Module record, click the Update button to save the changes.
Make the All module visible only by users with the x_<your_company_code>_needit.admin
role.
Create a new module to dynamically display all NeedIt records for the currently logged in user.
a. In the Filter… field enter the text Module OR select Navigation from the categories in
the left hand pane.
b. Select Module in the middle pane as the file type then click the Create button.
Order: 150
d. Switch to the Visibility section (tab) and click the Edit button ( ) in the Roles field.
f. Switch to the Link Type section (tab) and configure the options:
Testing
a. In the main ServiceNow browser window, use the Application Navigator to open NeedIt
> All.
b. Open a NeedIt record and set the Requested for value to Abel Tuter.
d. Open a second NeedIt record and set the Requested for value to Beth Anglin.
e. Edit a third NeedIt record and set the Requested for value to Fred Luddy.
. In the main ServiceNow browser window, use the Application navigator to open User
Administration > Users.
b. Scroll to the Roles section. Does Abel have any roles? Do you think Abel will be able to
see the NeedIt application and its modules?
Impersonate Abel Tuter and test his access to the NeedIt application and modules.
. In the main ServiceNow browser window, open the User menu by clicking your user
name in the ServiceNow banner. Select the Impersonate User option.
c. Examine the User menu in the ServiceNow banner. You should now be Abel Tuter.
d. In the Application Navigator filter field type NeedIt. Abel should not see the NeedIt
application or modules. If you see something else, debug and re-test.
a. Beth should see the NeedIt application and two modules. If you see something else,
debug and re-test.
b. Open the My NeedIt Requests module. Does Beth see only her NeedIt requests? If not,
debug and re-test.
Do you think Fred Luddy can see the NeedIt application? If so, which modules should Fred be
able to see?
a. Fred should see the NeedIt application and all four modules. If you see something else,
debug and re-test.
b. Open the All module. Can Fred see all the NeedIt records? If not, debug and re-test.
c. Open the My NeedIt Requests module. Does Fred see only his NeedIt requests? If not,
debug and re-test.
Answers
Question: There is already a role in the Roles section of the NeedIt Admins group. Where did
this role come from?
Question: Why did you create the groups in the main ServiceNow browser window and not in
Studio?
Answer: Groups are not application files. Groups are part of ServiceNow User administration
and not part of scoped applications. Roles, however, are scoped application files.
Question: The roles from the NeedIt Users group were inherited by the NeedIt Admins group.
Were the NeedIt User group users also inherited?
Answer: No. Roles are inheritable by a group but users are not.
When creating tables in scoped applications, you must assign a role to the table. Specify the User
role in the Controls section of the table form. You can dynamically create a new role or assign an
existing role.
For all scoped application tables, the Create access controls option is selected and is read-only.
The combination of Access Controls plus roles provide the minimum amount of security to
protect a table’s records against unauthorized access. In the default case, only users with the
table’s role can create, read, update, and delete table records.
Access Controls restrict access to data by requiring users to pass a set of requirements. Access
Controls define:
Access Controls are automatically created when tables are added to scoped applications. The
four default Access Controls grant access to the table’s records. Permission is granted for
these operations:
Create
Read
Write
Delete
To be granted access by the default Access Controls, a user must have the User role specified for
the table.
ServiceNow is default deny unless configured otherwise. Permission must be explicitly granted
by Access Controls for a user to have access to records and record fields
Elevate security privileges in the main ServiceNow browser window (not Studio). Open the User
menu in the banner and select Elevate Roles.
In the Elevate Roles dialog, select security_admin then click the OK button.
Records
Processors
REST Endpoints
UI Pages
Table/field
Requires Role
Condition
Script
In order for permission to be granted to access a table/field, the Requires Role, Condition, and
Script sections must all return true. If there is no value, the section returns true.
Use the Name field in the Access Control configuration to specify which records and which field
are secured. In the example, the Access Control grants write access to the NeedIt table’s
Requested for field.
Requires Role
Use the Requires role list to specify the role(s) required to access records. Click the Insert a new
row… line to add a role to the list. If there are multiple rows in the list, the user must have only
one of the roles for Requires Role to return true.
Condition
Use the Condition field to create the condition(s) required to grant access. In this example, the
Requested for value must be the currently logged in user.
The condition is tested dynamically and the number of matching records in the database is
reported. Click the link to open a list of matching records in a new tab. Click the double arrow
icon to refresh the count.
Script
Restrict the script logic only to security-related logic. If other logic is included, such as
managing date formats or validating record data, it can be difficult to debug problems in the
future as you might not think to look in Access Control scripts for those actions.
GlideRecord: isNewRecord()
Access Control scripts must set the answer variable to true or false.
answer = true;
else{
answer = false;
When deciding whether to grant or deny access, the ACL is searched from the most specific to
the most generic match. For example, when determining whether to grant access to the NeedIt
table Short description field, the search order is:
When Access Controls are submitted or updated The Access Control Configuration Watcher runs
to determine if there are other Access Controls acting on the same set of records. The Access
Control Configuration Watcher displays a list known as the execution plan. The results are
indicated by:
Masked: An Access Control that was effective until you made a change.
Unmasked: An Access Control that was made effective when you made a change.
The Access Control Configuration Watcher also indicates whether the Access Control affects
table rows or fields.
To * or Not to *
The Name field in an Access Control specifies the table records to protect and a field to protect.
The field list has a –None– option and a * option.
At first glance, –None– and * seem to grant the same thing: access to all fields on a record. To
tell the difference in behavior, you need to see how –None– and * work together and with other
Access Controls.
Demonstration Setup
The examples use an application called Generic that has a single table called Table. Table has
five columns: Field 1, Field 2, Field 3, Field 4, and Field 5.
–None– without *
Examine the two read Access Controls. Pay attention to the field value and the roles. The
screenshots have been edited to show only the pertinent parts of the Access Control.
The None Access Control granted all rows and all fields to both Fred and Beth.
The Field 3 Access Control granted Field 3 access to Fred. Giving Field 3 explicitly to
Fred removed Field 3 access from Beth even though she was granted Field 3 access by
the None Access Control.
–None– with *
Examine the three read Access Controls. Pay attention to the field value and the roles. The
screenshots have been edited to show only the pertinent parts of the Access Control.
The None Access Control granted all rows and all fields to both Fred and Beth.
The * Access Control granted all rows and all fields to Fred. It seems redundant to have
this Access Control because Fred already had access to all rows and all fields. The
The Field 3 Access Control explicitly gives Beth access to Field 3 even though Beth was
denied access to Field 3 by the * Access Control. Field-specific Access Controls take
precedence over * Access Controls.
Conclusions
You cannot write * Access Controls without None because only None grants access to records.
When writing an ACL that mostly grants access, use only None.
When writing an ACL that mostly denies access, use None and *.
To enable Access Control debugging, use the Application Navigator in the main ServiceNow
browser window (not Studio) to open System Security > Debugging > Debug Security Rules.
The Debug Security Rules module runs a script that enables writing all Access Control
debugging information to the bottom of each page in the content frame.
Only admin users have access to the Debug Security Rules module. In most cases, Access
Controls need to be debugged for users other than the admin user. After enabling Debug Security
Rules as an admin user, impersonate a user to test their access.
In this example, Beth Anglin is denied access to Field 3 on Table in the Generic application:
The first row states the overall evaluation of the Access Control: Grant or Deny. The Access
Control is a read Access Control for Field 3.
The second row shows the evaluation of the table-level Access Control followed by the field-
level Access Control. In this case both the table-level and field-level Access Controls are shown
to make it clear which Access Control denied access.
Blue: The rule did not have to be re-evaluated because the result is already in the cache
Gray: Not evaluated, typically because part of the rule has already denied access
X: Failed
The system-level access check is not part of an Access Control. It runs before Access Controls
are evaluated and looks for system/runtime reasons why a user should or should not be granted
access. For example, Delegated Development grants developers permission to create only certain
types of application files. Fred might be able to create Business Rules but Beth cannot.
Permission to create application files in a Delegated Development environment is not controlled
by Access Controls and is determined at runtime by a system-level access check.
Look again at the Field 3 Access Control for Beth. Her access to Field 3 was denied by the role
on the field-level Access Control even though the table-level Access Control granted access. The
condition and script on the field-level Access Control were not evaluated because the role denied
access.
To disable Access Control debugging use the Application Navigator in the main ServiceNow
browser window to open System Security > Debugging > Stop Debugging. If you have
impersonated a user, impersonate the System Administrator to disable Access Controls.
SURESH SNOW Page 32
DEVELOPER TIP: The Admin overrides option in Access Control configuration grants access
to the admin user even if the admin user doesn’t meet the requirements of the Access Control.
Use caution when testing Access Controls as the admin user as it may not be indicative of the
Access Control’s behavior.
To debug the Access Controls for a single field rather than the entire content frame, with Debug
Security Rules enabled, open the table’s form.
A Debug icon ( ) appears next to each field. Hover over the Debug icon to see how many
Access Control messages there are for the field. Click the Debug icon to see the Access Controls
for that field. This strategy, obviously, cannot be used to debug fields that are hidden by Access
Controls.
Preparation
1. In Studio, use the Application Explorer to open Data Model > Tables > NeedIt.
a. In the main ServiceNow browser window (not Studio), open the User menu and select
the Impersonate User option.
c. Select beth.anglin.
In the Application Navigator, type NeedIt in the Filter field. Note that Beth can see only two
modules: Create New and My NeedIt Requests. Beth cannot see the Open or All modules.
In the Application Navigator, paste the value from the clipboard and type .list at the end of the
name. It will look something like this:
Typing a table name followed by .list in the Application Navigator Filter field opens the list of
table records. In the previous lab, you removed Beth’s access to the All and Open modules. If
Beth knows how to use .list, she can still see the records you didn’t intend for her to access. As
you can see, module permissions alone cannot protect a table’s records. Use Access Controls to
protect table records.
a. Open the User menu in the banner and select Elevate Roles.
d. If Studio was already open, you may need to reload Studio using the browser’s reload
button for Studio to detect the elevated privileges.
If the NeedIt application is not open in Studio from the last exercise, open it now.
. In the main ServiceNow browser window use the Application Navigator to open System
Applications > Studio.
Open the create Access Control and examine the configuration. Note the table, field (if any),
description, and the role.
Open the read, write, and delete Access Controls and examine the configurations.
QUESTION: The descriptions for the Access Controls all say Default access control. When and
how were the default Access Controls created? If you aren’t sure, scroll to the Answers section at
the bottom of this page.
In this part of the exercise you will modify the default read Access Control to grant full read
access only to the application’s admin role.
2. Scroll to the Requires role section and click the Mark deleted button ( ) for the
x_<app scope>_needit.needit_user role.
4. Type x_ in the search field and select the x_<app scope>_needit.admin role from the
list.
In this part of the exercise you will create an Access Control to allow users with the needit_user
role to view records where they are the Requested for.
b. In the Filter… field enter the text Access OR select Access Control from the categories
in the left hand pane.
c. Select Access Control in the middle pane as the file type then click the Create button.
Type: record
Operation: read
. Scroll to the Requires role section and double-click Insert a new row….
a. Type x_ in the search field and select the x_<app scope>_needit.needit_user role from
the list.
Add a condition requiring the currently logged in user to be the Requested for value.
Examine the Access Control Configuration Watcher to see if other Access Controls are affected.
Testing
1. In Studio, switch to the NeedIt table tab. If the NeedIt table tab is not still open, use the
Application Explorer to open Data Model > Tables > NeedIt.
4. In the Application Navigator, paste the value from the clipboard and type .list at the end
of the name.
5. Press the <return> key on the keyboard. You should see something like this. The total
number of records and number of records removed will vary depending on the records in
your instance.
6. Open one of the records from the list and verify that Beth is the Requested for. If not,
debug and re-test.
8. In the Application Navigator filter field paste the value from the clipboard followed by
.list. Press the <enter> key.
9. Fred should be able to see all the NeedIt request records without constraint. If not, debug
and re-test.
Answers
Answer: In scoped applications, creating a table also creates a set of four Access Controls:
create, read, write, and delete.
Scripting Security
Both the client-side and server-side APIs have methods for scripting security.
hasRole()
hasRoleExactly()
hasRoleFromList()
hasRoles()
The client-side API methods can be used in any client-side script such as Client Scripts and UI
Policy scripts. Client-side security is the easiest security to break. Do not depend on client-side
scripts to secure sensitive data.
getUser()
getUserID()
getUserName()
hasRole()
isLoggedIn()
isInteractive()
getSession()
The server-side GlideElement API has methods to check whether a user’s role allows them to
access the associated GlideRecord(s):
canCreate()
SURESH SNOW Page 39
canRead()
canWrite()
The server-side methods can be used in any server-side script such as Business Rules or Script
Includes. Server-side scripted security is more secure than client-side scripted security. Any user
with access to scripting fields can see the scripts and see what the security checks are.
Neither client-side nor server-side scripts are part of the Debug Security Rules module. When
security is scripted outside of Access Controls, it must be debugged independently of the Access
Controls.
For the highest level of security, use Access Controls to protect sensitive data.