Enable ACLs for Encoded Query in Simple List Widget [New in Security Center 2.0]
Learn how to set the glide.service_portal.enable_acls_for_encoded_query_in_list property to the secure value to prevent users from bypassing access control list (ACL) evaluations on a query condition in the Simple List Widget.
When the glide.service_portal.enable_acls_for_encoded_query_in_list property is not set to the secure value of true, a user may be able to bypass access control list (ACL) evaluations on a query condition in the Simple List Widget. If the property is set to false, it reverts to previous behavior, enforcing ACL checks for an encoded query based on the enforce_acl checkbox value.
It is a best practice to evaluate ACLs within queries to ensure that a user has access to the fields being queried, thereby preventing unauthorized data leakage.
Ensure that the glide property glide.service_portal.enable_acls_for_encoded_query_in_list is set to true. If the property does not exist in the sys_properties table, the default value is true.
More information
| Attribute | Description |
|---|---|
| Configuration name | com.glide.script.fencing.cross_scope_access.shared_table_support |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | string |
| Recommended value | true |
| Default value | true |
| Category | Access control |
| Security risk |
|
| Dependencies and prerequisites | None |
| Functional impact | The Simple List Widget may not display any data depending on the user's role and the underlying ACLs. Additionally, users might encounter security warnings if the Simple List query contains filter conditions with properties that are not accessible to the current user. |