Contextual Security Manager

  • Release version: Yokohama
  • Updated June 3, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Contextual Security Manager

    The Contextual Security Manager enhances data protection by controlling read, write, create, and delete authorizations within ServiceNow. It leverages awareness of the system table hierarchy to apply security rules contextually based on where fields appear, enabling fine-grained access control that is record-content aware and hierarchical.

    Show full answer Show less

    Key Features

    • Contextual Security: Secure records based on their contents, providing dynamic and precise access control.
    • Hierarchical Security: Apply security rules at any level of the object hierarchy for comprehensive coverage.
    • Field and Table Security via ACLs: Unlike the legacy Simple Security Manager, roles assigned to dictionary entries are ignored. Instead, access control is enforced strictly through ACL rules on fields and tables.
    • Role Management Changes: Roles assigned directly on user records are no longer checked or visible. Roles must now be managed through the Roles related list. Group role inheritance continues, respecting the inherits flag.
    • Application and Module Security: Access continues to be controlled via role arrays specifying required roles for viewing.
    • Catalog Item and Variable Security: Roles required for access remain defined through role arrays.
    • Role Management Plugins:
      • Contextual Security: Role Management - Provides core contextual security capabilities and is installed by default.
      • Contextual Security: Role Management V2 - Addresses duplicate user role entries caused by inheritance and is recommended for upgrades.
      • Role Management Enhancements - An earlier plugin version without audit verification scripting.
    • Audit Role Changes: After activating Role Management V2, configure the system property glide.rolemanagement.v2.auditroles to enable auditing of role changes.
    • Security Attribute Conditions (from Vancouver release): ACL rules can include Security Attribute Conditions that evaluate user/session properties such as group membership, authentication status, and network location. These conditions can be defined locally on an ACL or reused from existing conditions across multiple ACLs.

    Practical Implications for ServiceNow Customers

    • To maintain security after installing the Contextual Security Manager, customers must switch from dictionary-based role assignments to ACL-based security configurations for fields and tables.
    • Role assignments for users and groups must be managed via related lists rather than directly on user/group records, aligning with the new security model.
    • Activating the Role Management V2 plugin is advisable for improved role inheritance handling and to prevent duplicate role entries.
    • Enabling audit logging for role changes helps maintain compliance and traceability.
    • Using Security Attribute Conditions provides advanced, context-aware access control leveraging session and user attributes beyond static roles.

    Contextual Security Manager protects your data by controlling read, write, create, and delete authorization.

    Key advantages

    The Contextual Security Manager is aware of the system table hierarchy, enabling you to create specific security rules for a field based on where in the hierarchy it is displayed. Benefits of the Contextual Security Manager include:

    • Contextual security: Secure a record based on the contents of the record.
    • Hierarchical security: Apply security rules to any level in the object hierarchy.

    Securing fields and tables

    With the legacy Simple Security Manager, you could secure fields and tables by adding roles to the appropriate dictionary entry. With the Contextual Security Manager, these dictionary roles are no longer tested. Instead, the system looks for ACL rules on fields and tables.

    Warning:
    After you install the Contextual Security Manager, you must secure fields and tables via ACL rules. Even if you Configuring the form layout the dictionary form and add roles to a dictionary entry, no change in rights occurs.

    Contextual security and roles

    You can grant roles to users or groups. However, after installing the Contextual Security Manager, the roles field on the user record is no longer checked and no longer appears on your user and group forms. Instead, you must add roles to the Roles related list instead of to the user or group record.

    Applications and modules contain lists of the roles required to view them. For example, to view the System Definition application, the admin role is required. Security rights for applications and modules are still defined using role arrays.

    Both catalog items and catalog variables contain lists of the roles required to view them. Security rights for catalog items and catalog variables are still defined via these role arrays.

    Under the Contextual Security Manager, a group still automatically inherits any role granted to the group when the inherits flag for the role is set to true.

    Activating the Contextual Security Manager

    The Contextual Security Manager is active in the base system. If there are many duplicate entries in the User Roles table, you may need to upgrade to Contextual Security: Role Management V2 to eliminate duplicate roles. Plugins include:

    Contextual Security: Role Management [com.glide.role_management]
    Provides contextual security functionality. This plugin is automatically installed.
    Contextual Security: Role Management V2 [com.glide.role_management.inh_count]
    Prevents duplicate entries caused by inherited roles in the User Roles [sys_user_has_role] table. This plugin is automatically installed on new instances and can be activated for upgrades. The Contextual Security: Role Management Enhancements plugin is a previous version of this plugin. The Role Management Enhancements plugin does not include the RoleManagementVerify() script. This script returns a list of changes that an upgrade will perform, enabling you to monitor changes made by the plugin.
    Note:
    After activating Role Management V2, you must set the glide.role_management.v2.audit_roles system property to allow the Audit Roles table to create audit records related to user roles. To learn more about setting this property and about the Audit Roles table, see:

    Security Attribute Conditions

    Starting with the Vancouver release, ACL rules support a Security Attribute Condition type in addition to the standard role, condition, and script fields. Security Attribute Conditions evaluate properties of the current user or session, such as group membership, authentication state, or network location, to determine whether access is granted.

    Security Attribute Conditions can be defined as local or existing:

    Local
    The condition is saved only to the ACL where it is created. Conditions default to local.
    Existing
    The condition references a Security Attribute condition already defined on another ACL, enabling reuse across multiple rules.

    For a complete list of built-in security attribute types and configuration details, see Security Attributes fundamentals and Security Attribute Scope.