Enforce application specific ACLs only for application data

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Enforce application specific ACLs only for application data

This feature enables ServiceNow customers to restrict access to application data by enforcing application-specific Access Control Lists (ACLs) exclusively on application data, even when that data resides in primary tables outside the application scope. By configuring system properties, customers can ensure that only the designated ACLs for a given application scope are evaluated, preventing unauthorized or undesired access.

Show full answer Show less

Key Features

Application-specific ACL enforcement is controlled via system properties named using the pattern glide.enforcesecurityscope.<scope>.
Setting these properties to true ensures only application-specific ACLs are applied to data in primary tables, avoiding evaluation of other ACLs that might grant broader access.
These properties are scoped per application and must be managed by the scoped administrator for that application.
Not all applications have these properties by default; customers may need to create them in the System Properties table if missing.
A provided script helps identify which application properties are installed but not set to true, aiding compliance and configuration management.
The feature covers numerous application scopes across ServiceNow’s HR, Governance, Security, and other modules.

Key Outcomes

Improved security: Restricts access strictly according to application-specific ACLs, reducing risk of unauthorized data exposure.
Controlled access: Ensures ACLs on primary tables outside the application scope do not override or bypass application data protections.
Configurability: System properties allow granular control and easy enabling or disabling for each application scope.
Security risk mitigation: Setting properties to true reduces medium severity risks (CVSS score 4.1) by limiting unintended data access.

Implementation Guidance

Review the list of applications installed on your instance to identify those with glide.enforcesecurityscope.<scope> properties.
Confirm that these properties are set to true to activate enforcement of application-specific ACLs.
If a property is missing, create a System Property record with the appropriate name, Boolean type, and set it to true.
Use the provided script snippet to audit property settings and identify any needing updates.
Note that only scoped administrators have permission to modify these properties, ensuring controlled governance.

Avoid unauthorized or undesired access to application data by enforcing application-specific access control lists (ACLs) only for application data.

Control the behavior of application data residing in primary tables outside the application. When these properties have a value of true, only the application-specific ACLs are evaluated for access to the application data residing in these tables. Not all applications are designed to work in this configuration or use a System Property [sys_properties] record for this purpose.

These system properties use the glide.enforce_security_scope.<scope> naming format. For example, use the glide.enforce_security_scope.sn_hr_sp property for the Employee Center Core (sn_hr_sp) scope. The following application scopes contain this property:


sn_doc sn_egd_act sn_egd_core sn_egd_goals sn_em sn_gsm sn_gsm_info_req sn_gsm_lic_prmt sn_gsm_lic_prmt_ex sn_gsm_soc_bnfts	sn_hc_professional sn_hr_agent_ws sn_hr_ai_agents sn_hr_awa sn_hr_core sn_hr_ef sn_hr_er sn_hr_gen_ai sn_hr_hc sn_hr_le	sn_hr_le_ent sn_hr_mii_base sn_hr_na_galileo sn_hr_pad sn_hr_pj sn_hr_sp sn_hr_va sn_hr_ws sn_imt_health_test sn_imt_tracing sn_imt_vaccine	sn_ja sn_jny sn_lg_contracts sn_lg_matter sn_lg_ops sn_opp_market sn_professional sn_svc_appl_info sn_svc_appl_pgm_mg sn_talent_aia sn_uni_req sn_uni_task sn_egd_lh sn_ecn sn_ni_core sn_hr_voice_aia

For each application installed with the glide.enforce_security_scope property in the System Properties [sys_properties] table, (for example, glide.enforce_security_scope.sn_hr_core), ensure the property value is set to true.

Note:

These properties can only be modified by the scoped administrator for the specific application. If a sys_properties record does not exist for the given application and respective property, it must be created.

Use this script can to find which properties need to be updated or created on the instance:

var properties = [
        'glide.enforce_security_scope.sn_uni_task',
        'glide.enforce_security_scope.sn_uni_req',
        'glide.enforce_security_scope.sn_svc_appl_info',
        'glide.enforce_security_scope.sn_professional',
        'glide.enforce_security_scope.sn_opp_market',
        'glide.enforce_security_scope.sn_lg_ops',
        'glide.enforce_security_scope.sn_lg_matter',
        'glide.enforce_security_scope.sn_lg_contracts',
        'glide.enforce_security_scope.sn_jny',
        'glide.enforce_security_scope.sn_ja',
        'glide.enforce_security_scope.sn_imt_vaccine',
        'glide.enforce_security_scope.sn_imt_tracing',
        'glide.enforce_security_scope.sn_imt_health_test',
        'glide.enforce_security_scope.sn_hr_ws',
        'glide.enforce_security_scope.sn_hr_va',
        'glide.enforce_security_scope.sn_hr_sp',
        'glide.enforce_security_scope.sn_hr_pj',
        'glide.enforce_security_scope.sn_hr_pad',
        'glide.enforce_security_scope.sn_hr_mii_base',
        'glide.enforce_security_scope.sn_hr_le',
        'glide.enforce_security_scope.sn_hr_le_ent',
        'glide.enforce_security_scope.sn_hr_hc',
        'glide.enforce_security_scope.sn_hr_gen_ai',
        'glide.enforce_security_scope.sn_hr_er',
        'glide.enforce_security_scope.sn_hr_ef',
        'glide.enforce_security_scope.sn_hr_core',
        'glide.enforce_security_scope.sn_hr_awa',
        'glide.enforce_security_scope.sn_hr_agent_ws',
        'glide.enforce_security_scope.sn_hc_professional',
        'glide.enforce_security_scope.sn_gsm_soc_bnfts',
        'glide.enforce_security_scope.sn_gsm_lic_prmt_ex',
        'glide.enforce_security_scope.sn_gsm_lic_prmt',
        'glide.enforce_security_scope.sn_gsm_info_req',
        'glide.enforce_security_scope.sn_gsm',
        'glide.enforce_security_scope.sn_em',
        'glide.enforce_security_scope.sn_egd_goals',
        'glide.enforce_security_scope.sn_egd_core',
        'glide.enforce_security_scope.sn_egd_act',
        'glide.enforce_security_scope.sn_doc',
        'glide.enforce_security_scope.sn_talent_aia',
        'glide.enforce_security_scope.sn_hr_na_galileo',
        'glide.enforce_security_scope.sn_svc_appl_pgm_mg',
        'glide.enforce_security_scope.sn_hr_ai_agents',
        'glide.enforce_security_scope.sn_egd_lh',
        'glide.enforce_security_scope.sn_ecn',
        'glide.enforce_security_scope.sn_ni_core',
        'glide.enforce_security_scope.sn_hr_voice_aia'
    ];
	
var pm = new GlidePluginManager();

    for (var i = 0; i < properties.length; i++) {
        var property = properties[i];
        var application = property.split('.')[2];
        var propertyValue = gs.getProperty(property, 'false');

        if (pm.isActive(application) && propertyValue.toLowerCase() != 'true') {
            gs.print(property);
        }
    }

More information


Attribute	Description
Configuration name	glide.enforce_security_scope.<scope>
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	true
Default value	true
Category	Access control
Security risk	Severity score: 4.1 CVSS score: Medium Security risk details: When these properties don’t have a value of true, the ACLs on the primary table are still evaluated for access, potentially allowing unauthorized or undesired access to application data.
Dependencies and prerequisites	None

To learn more about adding or creating a system property, see Add a system property.