Securing system properties

ericgilmore · ‎12-06-2023

I've been asked to only allow Security Admins to have access to System Properties.
I've been asked to encrypt certain System Properties.

Has anyone else done these things?

Where can I find a good recipe for such actions?

Is this a good idea?

Is there already a provision ServiceNow has to do these types of actions to System Properties?

-thanks for your help

ericgilmore · ‎12-06-2023

Well that escalated quickly. What I've learned about System Properties, in my instance at least:

system properties are only accessible by those with the "admin" role.
system properties also appear to be accessible by app admins as well, i.e. those with knowledge_admin role can see system properties associated with Knowledge.
system properties allow for the explicit setting of Read or Write roles, which allow the admin to open certain properties to others, or to remove read/write access for others.
if a system property is set as type "Password", the value will be encrypted.

This is pretty much all I needed to know.

Hope this helps others.

View solution in original post

SanjivMeher · ‎12-06-2023

I dont think thats a good idea. There could be lot of code already accessing the property. If we restrict it to only allow Security Admins, it may have an impact on existing functionality.

I would create a support case to take suggestion from ServiceNow. But it doesn't sound right to me. Encrypting is fine for me.

Please mark this response as correct or helpful if it assisted you with your question.

Marcos Kassak · ‎12-06-2023

Hi @ericgilmore,

At the sys properties records you have two fields to be used:

You can use it and make sure that only someone with security admin or any other particular role that you may have can write/read.

As a developer, I use properties whenever I don't want a code to be with fixed data such as a sys_id, or I'm building an app for a customer that needs to change some particular configurations... I understand that there are properties that no one should be changing and that's why we also added a good Code Review process and Governance around that.

Let me know your thoughts so we can discuss a little more about it!

ericgilmore · ‎12-06-2023

I agree with you and think it would be a bad idea to lock down all system properties to only the Security Admin. I'm going to suggest another more targeted approach to use the available system property attributes as a solution, instead of possibly bricking an instance.

ericgilmore · ‎12-06-2023

Well that escalated quickly. What I've learned about System Properties, in my instance at least:

system properties are only accessible by those with the "admin" role.
system properties also appear to be accessible by app admins as well, i.e. those with knowledge_admin role can see system properties associated with Knowledge.
system properties allow for the explicit setting of Read or Write roles, which allow the admin to open certain properties to others, or to remove read/write access for others.
if a system property is set as type "Password", the value will be encrypted.

This is pretty much all I needed to know.

Hope this helps others.