Secure data

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Secure data

    Data security is a critical aspect of application development on the ServiceNow AI Platform. ServiceNow automatically enforces access control for tables based on user roles during table creation, ensuring that only authorized users can read, create, write, or delete data. Proper configuration of access control rules at both table and column levels is essential to protect sensitive information and maintain system performance.

    Show full answer Show less

    Key Features

    • Access Control Lists (ACLs): Multiple access controls combine to form ACLs, which regulate user permissions for tables, UI pages, and property pages. ACLs should be used to restrict table access to necessary users, especially under the Orlando Platform Subscription model, where charges depend on how many tables a user can access.
    • Before-query Business Rules: These run before database queries and control read access to records without revealing hidden records in lists. They are useful for certain read restrictions but do not replace ACLs and count against subscription limits.
    • GlideRecord Queries: Usage in access control scripts should be limited because they can impact performance. Additionally, GlideRecord queries bypass read access controls but are restricted by before-query Business Rules.
    • Field-level Security: Auto-populated fields should ideally be made read-only to prevent unauthorized changes.
    • Encryption: The platform supports encryption at the application, database, and hardware tiers to enhance data protection.

    Best Practices

    • Configure security measures early in the application development process before setting up interfaces or business logic to avoid rework and ensure data protection.
    • Use ACLs primarily to control access and manage subscription costs effectively.
    • Review existing Business Rules, such as the user query Business Rule on the User [sysuser] table, as references for implementing before-query Business Rules.

    Key Outcomes

    By following these guidelines, ServiceNow customers can ensure that application data is securely accessed only by authorized users, maintain optimal system performance, comply with subscription licensing models, and leverage encryption to protect data at multiple levels. Early and proper security configuration reduces risks and supports robust, compliant applications on the ServiceNow AI Platform.

    Data security is one of the most important and overlooked aspects of creating an application. ServiceNow automatically configures access control for a new or selected role during the table creation process. Only users with the role can access the table to read, create, write, and delete.

    Use access control rules to configure table and column-level security in the ServiceNow AI Platform. To properly configure access to an application, developers should understand how access controls work and the order in which access controls are evaluated. Apply multiple access controls that together make an Access Control List (ACL).

    Self-Paced Training: Securing Applications

    Documentation: Access Control List Rules

    When considering security:
    • Protect tables, UI pages, property pages, and other content with the appropriate access controls and roles.
    • Limit the use of GlideRecord queries in access control scripts. GlideRecord queries can affect performance.
    Beginning with the Orlando Platform Subscription model, customers are charged by how many tables a user can access, regardless of whether the user does access the table. Configure ACLs to restrict access to a table to ensure that only the users that need access to a table can access the table.
    Note:
    Consider making any auto-populated fields read only. If the system is populating the data, a user should not be able to.

    Alternately, secure data on the ServiceNow AI Platform with before-query Business Rules. Before-query Business Rules run before the database query and are limited to controlling read access to a record. Only use before-query Business Rules when necessary. Some considerations when deciding to use Access Controls or before-query Business Rules:

    • GlideRecord queries will bypass read access controls on a table and will be restricted by before-query Business Rules on a table.
    • When access controls restrict read access to records in a list, ServiceNow shows a message saying that access has been restricted for the records. With before-query Business Rules, the number of records in the list total matches the number of records shown to the user. The user receives no indication that some records have been hidden from the list.
    Review the user query Business Rule on the User [sys_user] table for reference.
    Note:
    Before-query Business Rules do not take the place of ACLs. Denying users access to a table via before-query Business Rule will still count the table against the subscription model. Use Access Controls to prevent the table from being counted for the users in the Platform Subscription model.

    Encryption

    The ServiceNow AI Platform also provides various encryption solutions at the application tier, database tier, and hardware tier. Learn more in the Data Encryption Whitepaper.
    Note:
    Set up security before configuring any interfaces or business logic. Since security affects the data available to interfaces and business logic, waiting until the end of the application build process may cause rework and issues.