Enhanced Access Control for Operational Technology

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enhanced Access Control for Operational Technology

    Enhanced Access Control for Operational Technology (OT) in ServiceNow Australia release strengthens system security by implementing data filters, deny unless access control rules (ACLs), and ACL query rules. These mechanisms help ensure precise and secure access to OT data and assets, minimizing misconfiguration and unauthorized access risks.

    Show full answer Show less

    Key Features

    • Data Filters: Control data access at the query level to restrict information retrieval based on defined rules.
    • Deny Unless ACLs: Enforce strict access denial unless specific conditions or roles are met, supporting IT and OT separation.
    • ACL Query Rules: Use exact and range query operations to finely control query privileges over OT data.
    • IT and OT Separation: Prevent non-OT users from viewing OT configuration items (CIs) in the CMDB. Only users with cmdbotviewer or cmdboteditor roles can access OT devices.
    • Role-Based Access:
      • OT Viewer (cmdbotviewer): Read-only access to OT device records.
      • OT Editor (cmdboteditor): Permissions to create, read, update, and delete OT extension class records, restricted from modifying IT CIs.
    • Site-Based Access: Control user permissions to view or edit OT devices based on designated sites using Can Read or Can Edit user criteria. For example, a user with the OT Viewer role and Can Read access to a site can only view OT devices at that site.
    • Related Record Restrictions: Access to related OT device records such as IP Address, Network Adapter, and Serial Number is also controlled by OT roles and site-based permissions, ensuring consistent security across linked data.

    Key Outcomes

    • Improved security posture by segregating IT and OT data access within the CMDB and related tables.
    • Granular control over OT data access, ensuring users only see or modify OT assets they are authorized for, both by role and site.
    • Reduced risk of unauthorized changes to OT devices through strict role and site-based editing permissions.
    • Streamlined compliance with operational security policies by enforcing deny-unless conditions and query-level access controls.

    Enhanced Access Control for Operational Technology (Operational Technology) implements data filters, deny unless access control rules (ACLs), and ACL query rules to help promote system security.

    Enhanced Access Control overview

    Enhanced Access Control provides the following components to provide access control configurations for your data to help avoid misconfiguration and security issues.
    Data filers
    Ability to control access at the query level.
    Deny Unless ACLs
    Ability to deny access to data unless the specific conditions are met.
    ACL Query Rules
    Exact query and range query ACL operations to control query privileges.

    Enhanced Access Control for OT

    Deny Unless ACLs help enforce IT and OT separation and site-based access.

    IT and OT separation
    Non-OT users can't view OT devices in Configuration Management Database (CMDB) tables. If a device is classified as an OT CI, only users assigned the cmdb_ot_viewer role or the cmdb_ot_editor role can access it. The following table describes each role.
    Table 1. OT roles to view OT CIs
    Role Description
    OT Viewer [cmdb_ot_viewer] Read-only access to OT device records.
    OT Editor [cmdb_ot_editor] Create, read, update, and delete access for Operation Technology (OT) extension classes.
    Note:
    Users assigned the cmdb_ot_editor role can edit and delete only OT configuration items (CIs), and can't edit IT CIs.
    There are also restrictions on OT users who can edit or delete IT configuration items (CIs). Users assigned the cmdb_ot_editor role or the cmdb_ot_admin role can’t edit or delete IT CIs in the following related lists:
    • IP Address
    • Network Adapter
    • Storage Device
    • File System
    • Memory Module
    • Patch = CI Field
    • Package = CI Field
    • Managed Network
    Site-based access

    Site-based access specifies which users can view, edit, and delete OT devices for a designated site. You can assign site-based access to users by using Can Read or Can Edit user criteria. For more information about assigned Can Read access, see Assign the user criteria for Can Read access to a site. For more information about assigning Can Edit access, see Assign the user criteria for Can Edit access to a site.

    The following table describes the site-based access for users assigned the cmdb_ot_viewer role or the cmdb_ot_editor role.
    Table 2. Site-based access for OT roles
    Role Site-based permission
    cmdb_ot_viewer With Can Read access, users assigned the cmdb_ot_viewer role can only view OT devices for a designated site.

    For example, if you're assigned the cmdb_ot_viewer role and have Can Read access to the Atlanta site, then you can only view the site's OT devices. You can't edit or delete the OT devices associated with Atlanta.
    cmdb_ot_editor To edit OT devices, users with the cmdb_ot_editor role should be assigned Can Edit access for the site, or sites they belong to.

    For example, if you're assigned the cmdb_ot_editor role but only have Can Read access to the Atlanta site, you can only view the devices associated with Atlanta. If you're assigned the cmdb_ot_editor role and have Can Edit access to the San Diego site, you can edit or delete the devices associated with San Diego.

    Enhanced Access Control for OT CMDB CI related record tables

    Non-OT users can't view OT devices in the following related record OT-related CMDB CI related record tables:
    • IP Address [cmdb_ci_ip_address]
    • Network Adapter [cmdb_ci_network_adapter]
    • Serial Number [cmdb_serial_number]
    If a related record is an OT device, only users assigned the cmdb_ot_viewer role or the cmdb_ot_editor can view or edit the OT device respectively.

    Related records also adhere to site-based access restrictions. With Can Read access, users assigned the cmdb_ot_viewer role can only view the OT-related CMDB CI records for a designated site. Users with the cmdb_ot_editor role must be assigned Can Edit access for a site to edit or delete the OT-related CMDB CI records of the designated site.