Restrict access to emails with empty target table (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Activate the glide.email.email_with_no_target_visible_to_all property to restrict user access to emails, unless they were the one who sent the email or have an admin role.

    Unauthorized users are able to access emails in the Emails [sys_email] table that are missing a target record. Instead of enforcing ACLs on email entries, this property restricts access only to the email sender and users with the admin role.
    Note:
    Emails sent to and received by the instance appear in the Emails [sys_email] table. However, only received emails that were marked with an Error and Ignored state should have an empty target table.

    More information

    Attribute Description
    Property name glide.email.email_with_no_target_visible_to_all
    Configuration type System Properties [sys_properties]
    Configure in Instance Security Center Yes
    Purpose To block email client from showing emails when user doesn't authorize access.
    Recommended value false
    Functional ImpactUsers are no longer able to see emails where target table is empty unless they are an admin or were the sender of the email.
    Security risk (Medium) If the property is not enabled, unauthorized users are able to access any email where the target_table field is empty.
    References

    Advanced email properties

    https://support.servicenow.com/kb_view.do?sysparm_article=KB0690043

    To learn more about adding or creating a system property, see Add a system property.