Scripting Governance Tool

Martin Rudack · ‎08-05-2025

Disclaimer – This article is part of a series exploring the new features and capabilities introduced in the Zurich release. Since we’re still in the Early Availability (EA) phase, things may change before General Availability (GA). After GA, these articles will be reviewed and updated as needed. Also, this message will be removed.

Do you have a process in place to prevent the wrong people from scripting in your instance? I mean, are you absolutely sure your current setup can easily restrict access to script and script-like fields, and only specific users are not automatically blocked to write scripts at all, no matter on which table those fields exist?

If you can't confidently answer "yes," then this article is for you.
And even if you can answer “yes,” you might still want to keep reading because with the Scripting Governance Tool, introduced in the Zurich release, ServiceNow now provides an easy, centralized way to govern and manage permissions for all script-like fields in one place.

The Scripting Governance Tool provides two main benefits:

A clear overview of users who are not blocked from writing to script or script-like fields.
An easy process to block users from writing to script and script-like fields in general

Technically, the solution is built on Datatype ACLs, which were also introduced in the Zurich release. If you have not heard about datatype ACLs yet, check out my article: Datatype ACLs

The Scripting Governance Tool combines these new ACLs with the deny-unless feature to restrict write access across all script-like fields.

If you don’t pass these new ACLs, you can’t write to script fields.

If you do pass them, you’re not completely off the hook. You still need the correct permissions for the specific field you're trying to edit.

Think of it like this:

As @David Skowronek explains in his great article about the Need-to-know Principle, the Scripting Governance Tool builds a fence with a single entry point around your house. To do any scripting, users need to pass through the main gate of the fence. But even after entering, you still need a key to unlock the door for a specific script field.

sec attribute.png

Access is controlled by the HasRequiredScriptingRole security attribute, which can be satisfied if a user has the role snc_required_script_writer_permission. This role is assigned via the Conditional Script Writer group. Additionally, all users will pass the gate as long as the initial provisioning job is still running.

The Scripting Governance Tool Dashboard

You can access the Dashboard via:

All > System Security > Scripting Governance Tool

The dashboard provides an overview of the users that are part of the Conditional Script Writer Group and it provides a process to decide which user should stay in the group and removes the others.

You need to elevate the security_admin role to access the Scripting Governance Tool.

You can manage the group membership manually or you can get support from the system that scans which user of the group changed scripts within the last X days.

Click Scan for scripting users to start a job that checks which users in the group have modified records containing script fields within the specified time range.

If you are interested in the technical implementation of the scan, you can start at the Script Include SGTScan.

Once the scan completes, you’ll get a breakdown of the members of the Conditional Script Writer Group divided into users that have scripted and users that have not scripted.

By default, users with no recent scripting activity are the users that should be removed from the group. You can still move users between these two groups when clicking Manage conditional script writers.

On the Keep list you can select users and click Add to remove list and on the Remove list you can select users and click Add to keep list.

Once you are happy with both lists you can hit Schedule removal on the Remove list tile.

The created removal job removes the users from the group and additionally removes the role from the users, just in case the role was directly assigned to the user.

In case you want to manage the Conditional Script Writer Group without the scan, you can use the Manage scripting access button within the Manual Configuration tile on the dashboard.

On the dialog you must select the users you want to keep in the Conditional Script Writers Group. Just click Next and you will get to the same overview of the Keep list and the Remove list.

The dashboard also includes an option to auto-assign all new users to the Conditional Script Writer Group. But it is not recommended to activate this option. For me, it was not even possible to activate it because of the following error:

Once you upgrade your instance to Zurich, the Scripting Governance Tool is enabled by default. To prevent breaking anything, the system runs an initial provisioning job which will add every user with at least one role to the Conditional Script Writer Group.

Lisa Silvaroli · ‎09-23-2025

Is there a way to see what the users actually scripted?

Martin Rudack · ‎09-24-2025

No, you don't see it.

The scan populates the Table "sgt_scan_result" only with the name of the User who scripted, and the last date.

If you are interessed in what the scan actually does you can start with the script include "SGTScanJob".

LVdV

Why is there only one role when we are talking about different field types? If you want to enable HTML fields for knowledge, publications, demands, ... , then you also allow scripting fields for those users.

The implementation of this tool seems very flawed. I don't understand forcing it with the Zurich upgrade, and why a review task is not included in the migration tasks of the Zurich release:

Pre- and post-upgrade tasks for various products

The docs do not even mention HTML fields, so we disabled the auto-assignment only to notice during UAT that all HTML fields were blocked. Mind boggling.

justin_anonuevo

I second the major issue with this an HTML fields. Those are part of our daily lives. If your trying to say, "You should know who can script", but then add "HTML, a common field used by normal users also counts", then the whole answer is "Everyone can. If you try to restrict it, you will prevent people from doing their jobs.".

In my testing, modifying HTML does not trigger a finding in a scripting scan, then why gate it? With a read only ACL??

mukesh_adh

This is posing a major issue with HTML fields for non-admin users. Was this not thought through during the design of this? I'm sure security best practice would recommend this script writer role should only be assigned to admins?

Richard48

We have just upgraded and found this feature which as it states is about "scripting" so we removed people who should not be scripting only to find the issues those above have mentioned that because there is a read only acl for *.[html] people can no longer update any html field eg cause notes on problems, Acceptance criteria and many more. is there a solution other then giving them this role ?

LVdV

From a security standpoint:

- Scripts can be injected through HTML fields and are therefore guarded by the same protection as script-type fields. (Verbatim quote from the product team)

- Access to one script-like field (this includes HTML fields) is as great a security risk as access to all script-like fields. (You only need one open door to enter a house.)

Considering these 2 statements, you can provide the role snc_required_script_writer_permission to any user needing to write to even only one HTML field.

It's not so much about allowing access to script-like fields, rather than denying access to them. In case a misconfigured ACL allows end-users access to script-like fields, you still have this catch-all layer above it to deny access.

justin_anonuevo

Replying to LVdV:

- Scripts can be injected through HTML fields and are therefore guarded by the same protection as script-type fields. (Verbatim quote from the product team)

This is the importance of Defense in Depth. You can inject SQL through inputs, thats why you sanitize your inputs. That can be through containment (such as escaping key characters or phrases) or through removal. ServiceNow already has a robust system to remove scripting from HTML blocks.

If you are protecting the platform, containing or removing javascript would work.

If you are protecting other users, its generally going to be removal.

- Access to one script-like field (this includes HTML fields) is as great a security risk as access to all script-like fields. (You only need one open door to enter a house.)

Wrong. This is the importance of defense in depth. Access to the front of the shop is not the same as access to the safe. There are places all over the platform where end users run javascript, including filters (not the dynamic ones, but for example, dates). It doesn't mean some scripting has 0 risk, every script field has some risk. But we do not group all scripting together.

What is also important is that we create proper and meaningful security and logging. If we classify people who update problems in the same class as people who write user criteria, that is major problem. You need to keep them separate as scripting user criteria has little restriction (!!) so you will need to secure that far more.

Considering these 2 statements, you can provide the role snc_required_script_writer_permission to any user needing to write to even only one HTML field.

I know that ACLs still play a role, but this layer adds no value (and more complication) if it does not distinguish between high risk activity (user criteria) and extremely common, low risk, business required activity like updating a KB or problem's workaround. In this case we would just grant the role to all our users, as they all have access to some record which uses an HTML field. So now it provides no protection.

It's not so much about allowing access to script-like fields, rather than denying access to them. In case a misconfigured ACL allows end-users access to script-like fields, you still have this catch-all layer above it to deny access.

But if we have to give access to this to all our users. Then this does nothing. It sounds like it intends to be a good tool based on broad principles, but every implementation has to be rooted in real world use cases. This harkens back to the old adage: The most secure system is the one no one can log into. Every security rule must be rooted in real world usability. If it doesn't follow business needs, it doesn't add value, it will just cause issues.

And I want to make something clear. There will be use cases for this tool. The act of having the field type ACLs and the scripting governance tooling isn't bad. There are 2 problems making this a bad implementation:

The ACL for HTML and this role is read only. We have no ability to manage this for our implementation. So instead of having some value where we need it. It has no value. If we could just disable this specific ACL and remove HTML from the governance tool. There would be no problems and let organizations who need that keep it.
The scripting governance tool hold no value to HTML unless we can see where real scripts are injected into HTML. In those cases, since that isn't the intent of the HTML field (it strips scripts), the answer shouldn't be "add it to a list" when its found, it should be "prevent it" since it could clearly find it to add it to the list.