Learn how to configure the glide.service_portal.widget.allow_list property securely so that the access control lists (ACLs) for the tables do not expose sensitive information.

The glide.service_portal.widget.allow_list property identifies the widgets that can access any table within the instance. However, the access control lists (ACLs) for these tables will continue to apply. If the ACLs are incorrectly configured or absent, widgets on this list might enable access to these tables, potentially exposing sensitive information. This property is effective only if the widget uses SNCACLWidgetUtil and the glide.service_portal.widget.enforce_public_check property is enabled (set to true).

More information

Attribute Description
Configuration name glide.service_portal.widget.allow_list
Configuration type System Properties (/sys_properties_list.do)
Data type array
Recommended value Empty
Default value Empty - in some customer's cases there might be some values.
Category Access control
Security risk
  • Severity score: 3.7
  • CVSS score: Low
  • Security risk details: Not configuring this property to the recommended values could enable widgets to access any table within the instance.
Dependencies and prerequisites For the glide.service_portal.widget.allow_list setting to be applicable, the glide.service_portal.widget.enforce_public_check property must be set to true.
Functional impact This property enables customers to access any table information if the widget is set to public and is included in the property's value.