Configure script access to encrypted data

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:5分

    • Execute a script to run the cryptographic module policy for a cryptographic purpose. Specific read (decrypt/unwrap) or write (encrypt, wrap) access can be defined based on the module access policy operation granularity.

    始める前に

    Role required: sn_kmf.cryptographic_manager

    このタスクについて

    Examples of uses are for Business Rules and Script Includes. This procedure uses a script for Business Rules.

    手順

    1. Create a cryptographic module with the symmetric data encryption/decryption algorithm.
      Refer to Create a cryptographic module for details. Specific access to the data or attachment is controlled with a module access policy with the following characteristics:
      • Symmetric encryption: The script is able to encrypt data but unable to decrypt the data.
      • Symmetric decryption: The script is able to decrypt uploaded encrypted data or attachment but unable to encrypt data or attachments.
      • Symmetric encryption and decryption: The script is able to both encrypt and decrypt data or attachments.
    2. Navigate to System Definition > Business Rules.
    3. Click New.
      New Business Rule record.
    4. Complete the form on the When to run tab and enter the script on the Advanced tab:
      表 : 1. Business Rule fields
      Field Description
      Name Enter a name for the business rule.
      Table Select Incident [incident]from the drop-down list.
      Application Global is selected by default.
      Active Mark the rule as Active.
      Advanced Select the check box to display advanced options.
      When to run tab On the When to run tab, enable Insert and Update fields.
      Advanced tab On the Advanced tab, paste the following script text at line 3: 
      //
var gc = global.GlideCryptoModule.getModule('global.acme_mod');
var value = 'test';
var encrypted = gc.encryptData(value);
gs.info('value: ' + value);
gs.info('Encrypted: ' + encrypted);
var decrypted = gc.decryptData(encrypted);
gs.info('Decrypted: ' + decrypted);
gs.info(decrypted == value);
      注:
      Refer to the "Business Rules Advanced Tab" image for details.

      Business Rule Advanced tab.

    5. Select Submit.
    6. Navigate to All > System Security > Field Encryption > Field Encryption Experience > Configurations > Access Policies > All.
      注:
      For additional information, refer to Create a module access policy.
    7. Select Create new.
    8. Select an existing Field Encryption module to associate the Module Access Policy (MAP) with.
    9. Select Create.
    10. Complete the form.

      Target script selection.

      Module Access Policies fields
      Field Description
      Policy name Enter a name for the policy.
      Type Select Script to control access by script.
      Script Table Select a value from the script table drop-down list. For this example, select Business Rule [sys_script].
      Result To give the script access to the module, select Track in the Result field.
      Crypto module Displays the module with the symmetric data encryption/decryption algorithm that you selected.
      Active Select to activate the policy.
      Target Script Select the script document for the policy. Select the Table name and then the related document for the policy. For this example, select the Business Rule that you created in previous steps.
      Check script version Select this option to direct the system to perform a version comparison anytime the script is run. If the script has been changed, the user is notified.
      Specify purpose Optional. Enable  to  display  the  Crypto  Spec field  on  the  form.  Enable this option to configure granular operations, such as some users being able to encrypt, but not decrypt.
      Application The  Application scope  is  auto-populated  by  your  current scope. 
    11. Select Save.
      The Module Access Policy for the script is now available in the system.