What is glide.security.allow_unauth_roleless_acl system property?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2023 12:01 AM
Hello Everyone,
I just wanted to ask if someone knows what is glide.security.allow_unauth_roleless_acl system property is and what does it do?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2023 12:07 AM
Hello @Community Alums ,
The glide.security.allow_unauth_roleless_acl system property controls whether public ACLs (access control lists) in ServiceNow can be accessed by unauthorized/unauthenticated users.
By default it is false, meaning public ACLs require authentication. Setting it to true allows unauthenticated access, which can be useful for public pages/APIs but reduces security.
regards,
Prasad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2023 02:17 AM
The glide.security.allow_unauth_roleless_acl system property in ServiceNow is used to control the behavior of Access Control Lists (ACLs) in the platform. More specifically, it determines whether or not unauthorized (unauthenticated) users are allowed to access records when no specific ACL rules are defined for a table.
Here's what it does:
If set to 'true': When this property is set to 'true,' unauthorized (unauthenticated) users can access records for tables with no specific ACL rules. In other words, the system does not enforce access restrictions for records that do not have ACLs defined. This can be a more permissive setting.
If set to 'false': When set to 'false,' unauthorized (unauthenticated) users will be denied access to records for tables with no specific ACL rules. In this case, the absence of a defined ACL rule does not automatically grant access, and explicit ACLs are required for access control.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2023 03:10 AM - edited 10-20-2023 03:11 AM
Hi @Community Alums ,
glide.security.allow_unauth_roleless_acl system property in ServiceNow controls whether or not people who haven't logged in (unauthenticated users) can access certain data in the system.
Example:
Imagine you have a ServiceNow instance used by your company to manage IT requests. There's a record in the system that contains information about a broken computer. You can control who can see this record:
glide.security.allow_unauth_roleless_acl is set to true, even people who haven't logged in (unauthenticated users) can see this record because there are no specific rules preventing them from doing so. It's like leaving the door open for anyone to enter.
glide.security.allow_unauth_roleless_acl is set to false, unauthenticated users won't be able to see the record unless you specifically give them permission. It's like having a locked door that only opens for people who have the right key (authentication).
Thanks,
Anand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2023 02:50 PM
Hi @Community Alums,
The glide.security.allow_unauth_roleless_acl system property in ServiceNow controls whether public access control lists (ACLs) can be accessed by unauthorized or unauthenticated users. By default, this property is set to false, meaning that public ACLs require authentication. This helps to protect sensitive data from unauthorized access.
If you set this property to true, then public ACLs can be accessed by anyone, even if they are not logged in to ServiceNow. This can be useful for situations where you need to make public data available to everyone, such as a knowledge base or a customer service portal. However, it is important to note that setting this property to true can also introduce security risks. For example, it could allow unauthorized users to view or modify sensitive data.
Here are some of the considerations to take into account when deciding whether to set the glide.security.allow_unauth_roleless_acl property to true:
- The sensitivity of the data that is being exposed: If the data is highly sensitive, then it is probably not a good idea to make it publicly accessible.
- The likelihood of unauthorized access: If there is a high likelihood that unauthorized users will try to access the data, then it is probably not a good idea to make it publicly accessible.
- The availability of alternative methods for accessing the data: If there are other ways for authorized users to access the data, then there may not be a need to make it publicly accessible.
In general, it is a good practice to keep the glide.security.allow_unauth_roleless_acl property set to false unless you have a specific need to make public ACLs accessible to unauthorized users.
