Deny by default with empty ACLs [Updated in Security Center 1.3]

リリースバージョン: Australia

更新日 2026年03月12日

所要時間：3分

Use the glide.sm.default_mode property to control the default behavior of security manager when it finds that existing Access Control List (ACL) rules are a part of wildcard table ACL rules.

Prevent your instance's legacy security manager from allowing access to resources when there are no ACLs defined for that resource, or if there are only wildcard table-level ACLs (for example, incident.*). When allowed access by default, anything that does not have explicit ACLs set is susceptible to manipulation.

Set the glide.sm.default_mode system property value to deny to disallow access when there are no define ACL rules, or there are only wildcard table-level ACLs.

警告:

This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information


Attribute	Description
Property name	glide.sm.default_mode
Configuration type	System Properties (/sys_properties_list.do)
Category	Architecture, design, and threat modeling
Purpose	Best security practice would be to restrict an Access to the tables by an unauthorized user. If there are no ACL rules in place for tables, this property ensures that at least wildcard ACLs are validated for any CRUD operation performed on the table/field. These rules restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.
Recommended value	deny
Functional impact	If you set this property to Allow, the wildcard table ACL rules allow CRUD operations on all tables unless there are specific table ACL rules in place to restrict such operations. 注: This plugin is not intended for existing instances, as it might modify security access to tables that are already in use in a production environment.
Security risk	6.3
References	Default deny property

To learn more about adding or creating a system property, see Add a system property.