ACL
i want to create an acl that allows only people of comment_editor group to edit the comments field and it should not affect admin roles
Forum Posts
Unable to Access PDI Due to Lost Passkey and Missing MFA Email Verification
Hi Community,I recently faced an issue where I enabled MFA on my PDI, but I lost access to the passkey, and the email account is not properly configured to receive verification codes.However, I also tried disabling MFA via API, but this approach did ...
Locked out of PDI due to lost Windows Hello / FIDO2 passkey and email MFA code not arriving
Hello everyone,I am locked out of my Personal Developer Instance. I previously logged in using Windows Hello / FIDO2 passkey MFA. I believe the passkey was created on an old work laptop that has since been wiped, so I no longer have access to that p...
Resolved! What's wrong with processors?
ServiceNow doesn't want people making new sys_processor items. I understand that they can be problematic, but so can the proposed replacement (scripted REST APIs, which are just an extension of processors BTW). They provide a simple and efficient way...
Resolved! Scheduled Background Script – GlideRecordSecure() not updating Incident HTML Description field
Hello!I have a scheduled background script that updates the incident.description HTML field.Now I've read about ServiceNow scripting governance tool and I have added the admin user and all required users the snc_required_script_writer_permission role...
Resolved! Locked out of PDI - MFA Authenticator app code required, no access to app
Hi Community,I am locked out of my Personal Developer Instance (PDI) - dev563738.service-now.comThe login page is asking for an authenticator app code (MFA), but I no longer haveaccess to the authenticator app.I tried:- Logging in via /login.do- Remo...
User table access to External users
Hello community,We have a use case and need to follow best practice and thought of checking with experts here about building something if it would be a reasonable approach considering the platform architecture.In our User table 'sys_user', we have In...
Enable New Users to Set Their Password via Email Link
Overview:When a new user account is created in ServiceNow, it is often necessary to allow the user to set their password securely for the first time.Instead of manually assigning passwords or asking administrators to reset them, we can automatically ...
Can we inactivate all the OOB 'Delete' Acls for some specific tabels which includes OOB tables also?
Hello,I have a requirement where we are restricting the 'delete' action for all the users in our instance and on all the tables which includes custom as well as OOB tables (eg. sys_attachment, sys_user, sys_user_has_role, sys_script, sys_user_role, i...
What's your biggest ServiceNow security blind spot?
Working on a project to map out the most common security gapsin ServiceNow instances. From what I've seen across audits:• ACLs that silently fail open• REST API endpoints exposed without proper auth• System properties left in debug/insecure defaults•...
Difference between getMessage and new GwtMessage().getMessage()
I am going to show you what exactly the difference between getMessage and new GwtMessage().getMessage().getMessage() and new GwtMessage().getMessage() both we use in client side to show the sys ui message. but there is some difference.getMessage is o...
Resolved! SSO with OIDC issue with claims
Hi ! I'm actually trying to set up connecting users through an OIDC Identity provider.Here's where I am : - I've configured the identity provider record through a well known configuration url- I've configured the OIDC Provider configuration like belo...
Resolved! Issues with Data Discovery Jobs when running a Full Scan Type(for Privacy/Classification) Yokohama
When creating a data discovery job with a scan type of "Full", we are running into 2 issues. 1. When running a scan on a single table, the scan is not covering all records on the table. It will run a small number, 3 or 4.2. When running larger jobs w...
Read-only service accounts for integrations
I am creating OAuth API endpoints for external clients, specifically for infosec scanning and logging tools like Splunk or Palo Alto SSPM or Valence. I want to I grant the respective service accounts both admin and snc_read_only roles. However I t...
Multi-provider SSO: Login Workaround
We have currently set up 3 IdPs (no default) on our instance. Currently, people SSO'ing to our instance have to use a special link (SSO ID), causing issues. Hitting base url always redirects to login.do, since there's no default set.Another option is...
