Disable Adding Default Roles to Skill ACLs

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use system properties to control what roles are automatically added to generative AI skill ACLs.

    Use the com.glide.one_extend.include_default_roles_for_skill_acl system property to control whether roles are automatically added to generative AI skill ACLs when they’re created or updated via the global.GenAiSkilSecurityUtils API. This property is used by the Now Assist Skill Kit (NASK) to enforce consistent security policies across all AI skills.

    When a skill ACL is inserted or updated, the default roles defined in the com.glide.one_extend.default_roles_for_skill_acl system property are automatically included. This addition ensures that certain privileged roles always have access to execute the skills. The com.glide.one_extend.default_roles_for_skill_acl property may contain a comma-separated list of roles.

    Ensure that the com.glide.one_extend.include_default_roles_for_skill_acl is set to false, or that the property doesn't exist on the System Properties [sys_properties] table.

    More information

    Attribute Description
    Configuration name com.glide.one_extend.include_default_roles_for_skill_acl
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value false
    Default value false
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 4.2
    • CVSS score: Medium
    • Security risk details: Roles are automatically added to Generative AI Skill ACLs when this feature is enabled. Depending on the role, this may allow overly broad access to certain skills and override intended ACL behavior.
    Functional impact Certain roles may be prevented from using skills if they don’t satisfy an existing access control. These two property configurations ensure certain roles retain a base level of access to all skills.
    Dependencies and prerequisites None