Exploring Secrets Management

  • Release version: Yokohama
  • Updated May 5, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Secrets Management

    ServiceNow Secrets Management enables granular control over access to passwords and digital credentials, tailored to your organization's security requirements. It supports secure creation, storage, and management of secrets such as encryption keys, API tokens, and passwords, enhancing your cybersecurity posture. Admin roles are required to access Secrets Management modules and records.

    Show full answer Show less

    There are two versions available:

    • Secrets Management Core: Included by default at no extra cost, it allows use of secret groups with criteria on standard ServiceNow tables.
    • Secrets Management Enterprise: Requires a ServiceNow Vault license and activation by ServiceNow support. It offers advanced features like granular access controls based on multiple criteria and client-accessible secrets encrypted with customer-held keys.

    Key Features

    • Secret Groups: Organize secrets into groups to apply access policies collectively. Groups can be basic (scope-wide) or criteria-based (filtering by application scope, package, table, column, or record).
    • Instance-side vs. Client-side Secret Groups: Instance-side groups allow the instance to decrypt secrets, while client-side groups use public/private key encryption, where only the client possesses the private key, enhancing security by preventing ServiceNow from accessing the secret keys.
    • Granular Access Controls: Unlike Password2, Secrets Management allows admins to restrict access not just by application scope but also by finer criteria such as tables and columns.
    • Module Access Policies (MAPs): Define instance-level controls like cryptographic key validity for secret groups, ensuring secure and compliant access management.
    • Secure Encryption Scheme: Particularly in client-side secret groups, encryption keys are never stored by ServiceNow, reducing risk exposure.
    • Tables and Data Structures: Secrets Management introduces new tables to store secret groups, criteria, wrapped secrets, and identity groups, and enhances existing cryptographic module tables to support its features.

    Practical Applications

    • ITOM Discovery Security: MID Server transactions require secure authentication, and Secrets Management helps securely manage these credentials to protect the Configuration Management Database updates.
    • Integration Hub Connectivity: Secrets Management simplifies and secures the handling of numerous API credentials needed for automated workflows connecting multiple systems.

    What You Can Expect

    By implementing Secrets Management, your organization gains comprehensive control over sensitive credentials, enforcing strict access policies and leveraging encryption methods that protect secrets even from ServiceNow itself when using client-side groups. This leads to enhanced security for IT operations, integrations, and overall digital credential management, aligning with best practices for cybersecurity governance.

    Use ServiceNow Secrets Management for granular management of access to your passwords to fit your business needs.

    Important:
    Admins must have the role to see modules and records related to Secrets Management. For secrets management role information, see Secrets management roles.

    Select from Core and Enterprise versions of Secrets Management

    Choose from Secrets Management Core and Secrets Management Enterprise depending on your business needs.

    The Secrets Management Core plugin (com.glide.sm.core) is available by default. No installation is required on the instance to use this plugin. The Secrets Management Enterprise plugin is only available with a ServiceNow Vault v1, PROD18537 license. Contact Customer Support for assistance with the Secrets Management Enterprise plugin.

    Secrets Management Core Secrets Management Enterprise
    Secrets Management Core is available by default to install on your instance at no additional cost. The plugin provides the ability to use secrets groups with criteria in non-custom tables provided in the ServiceNow platform that have been created by ServiceNow application engineering teams. Secrets Management Enterprise includes additional functions to help admins create and manage secrets groups. Enterprise provides the following features in addition to the features listed in Core.
    • Use granular access controls to create secrets groups based on any of these criteria:
      • Scope
      • Package
      • Table
      • Column
      • Record
    • Create client-accessible secrets that are encrypted using your own key which ServiceNow can’t access.
    • Use the Secrets Management Dashboard to review the secret groups configured on your instance and learn about potential security issues.
    Note:
    Secrets Management Enterprise is a paid plugin that ServiceNow personnel must activate on your production instance.

    Use secret groups to organize your secrets

    Use Secrets Management to organize your secrets into groups. Then, apply access policies to those secrets at a group level.

    Basic secret group
    These groups apply to all secrets in a scope. These secrets are decrypted by a common cryptographic module and module access policies (MAPs).
    Secret group with criteria
    Secret groups with criteria function the same as a basic secret group, but further refine what is included using criteria. These criteria include:
    • Application scope
    • Package
    • Table
    • Secret column
    • Filter record

    Secret groups of either type can be made instance accessible or client accessible.

    Instance-side secret groups
    Instance-side secret groups contain secrets that can be decrypted by your instance.
    Client-side secret groups
    Client-side secrets groups use a public/private key pair so that secrets can only be decrypted by the client. When you create a client-accessible secrets group, you upload the public key to the instance and retain the private key on your MID Server. The instance uses the public key to encrypt your secrets, but they can only be decrypted using the private key.
    Note:
    For more information on these group types, see About client-side Secrets Management.

    Use secrets groups for more granular control

    While Password2 is available on the ServiceNow platform, Secrets Management provides these additional features.

    Granular access controls
    Password2
    With Password2, admins can control access to an application scope but can’t restrict access to elements within the scope.
    Secrets Management
    With Secrets Management, admins can restrict access based on criteria they define. Criteria types can be based on criteria such as package, table, or column.
    Secure storage For client-side secret groups, Secrets Management uses a new encryption scheme. In this encryption scheme, ServiceNow doesn’t save the encryption key. For this reason, the security of your data doesn’t depend on ServiceNow's security.

    Apply module access policies to your groups

    After you’ve grouped your secrets into a secret group, you can apply policies that determine how you can access them at a group level. Module access policies are the access control mechanisms that you apply to cryptographic modules to define instance-level controls, such as a validity time frame for the cryptographic key. For more information on module access policies, see Module access policy overview.

    Tables installed with Secrets Management

    Secrets Management adds or modifies these tables.

    New Tables
    [sn_sm_secret_group] Stores secret groups
    [sn_sm_secret_group_criteria] Stores criteria secret groups
    [sn_sm_secret] Stores wrapped secrets
    [sn_sm_identity_group] Defines the identity group for mapping a group of identities to the public key
    [sys_kmf_wrapped_module_key] Stores the wrapped symmetric cryptographic keys
    Modified Tables
    [sys_kmf_crypto_module] Added cryptographic module type (identity cryptographic module or secret group cryptographic module)
    [sys_kmf_module_key]
    • Stores conceptual secret encryption key (with no key material)
    • Stores the identity public key
    [sys_kmf_crypto_caller_policy] Added new module access policy type

    Secrets Management use case examples

    Help ensure secure ITOM Discovery

    This infographic shows a simplified reference architecture of how ServiceNow IT Operations Management (ITOM) Discovery can be deployed by your organization. As shown in the infographic, multiple Windows and Linux servers connect to the Management, Instrumentation, and Discovery (MID) Server and several MID Server agents enable the discovery process to update the Configuration Management Database (CMDB). Every MID Server transaction requires a secure authentication, so managing the authentication credentials is critical from a security perspective.

    Architecture showing how ServiceNow IT Operations Management (ITOM) Discovery can be deployed
    Accelerating workflow connectivity with Integration Hub securely

    Use ServiceNow's Integration Hub to connect to different systems using automated application programming interface (APIs). Each time Integration Hub connects to a system using an API, an authentication credential is required to establish connectivity. Management of a multitude of applications and APIs for connectivity is made easier by using a secrets management solution.

    Secrets Management is a key part of ensuring your organization’s cybersecurity. It covers all processes and tools related to the creation, storage, transmission, and management of digital credentials such as encryption keys, API tokens, and passwords. To manage secrets both securely and effectively, you can build a core secrets management policy that establishes standard rules and procedures for all phases of a secret’s lifecycle.