In most SaaS services, privacy keys or equivalent authentication materials are only viewable at the time of key creation or initial upload through the user interface. After that, they can no longer be accessed, and if lost, the key must be regenerated.
However, ServiceNow does not work this way, which is quite hard to understand.
In any case, this file must be hidden according to our security policy. **No user (including “admin”) should be able to access it within the instance.**
I tried to enforce this using an **ACL**, but it’s not behaving as expected.
The debugging results all show “deny” as expected, but the UI still lets me view the certificate file. Impressive.
Every time I face a security-related challenge like this, I often hear the same response — “try a different approach.” I really hope that’s not the case this time. I’m exhausted. The security team doesn’t want just one possible option — they want all available options.
