Restrict Global App Development by Role

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the sn_g_app_creator.allow_global property to control which users can create applications in the global scope using the Guided Application Creator.

    The sn_g_app_creator.allow_global system property controls which users can create applications in the global scope using the Guided Application Creator. If sn_g_app_creator.allow_global is set to the recommended value of false, users need the sn_g_app_creator.global role to create an application in the global scope using Guided Application Creator. If sn_g_app_creator.allow_global is set to the insecure value of true then all users with only the base role "sn_g_app_creator.app_creator" can create an application in the global scope using Guided Application Creator. Applications in the global scope do not contain scope protections allowing a developer to access greater features and functions beyond a specific scope.

    Ensure the property sn_g_app_creator.allow_global is set to false or does not appear in the System Properties [sys_properties] table. If the property is not present in the System Properties [sys_properties] table the secure default is used.

    More information

    Attribute Description
    Configuration name sn_g_app_creator.allow_global
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value false
    Default value <none>
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 3.3
    • CVSS score: Low
    • Security risk details: Limiting global application development to users with the additional role follows the principle of least privilege.
    Dependencies and prerequisites None
    Functional impact Enhanced the API (/api/now/templates) to validate the create global application ACL and property.