Restrict unauthenticated access to attachments

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Restrict unauthenticated access to attachments

    This feature enables ServiceNow customers to control access to image attachments by restricting unauthenticated users from viewing them. By configuring the system propertyglide.imageprovider.securityenabled, organizations can prevent unauthorized access to sensitive images, ensuring that only authenticated users or explicitly allowed exceptions can view attached images and their thumbnails.

    Show full answer Show less

    Key Features

    • System Property Control: The property glide.imageprovider.securityenabled toggles access control for image attachments. Setting it to true restricts unauthenticated users, while false allows anyone with the URL to view the images.
    • Consistent Thumbnail Policy: Thumbnails inherit the same access restrictions as the original image attachments.
    • Fine-Grained Exceptions: Access exceptions for unauthenticated users are managed via the Security Allow/Deny List Entities [syssecurityrestrictedlist] table and by marking images attached to public Knowledge Base (KB) articles.
    • Exception Precedence: 1) Deny-listed parent tables deny access; 2) Allow-listed parent tables grant access; 3) Inclusion in public KB articles grants access.

    Practical Considerations

    • Ensure the property glide.imageprovider.securityenabled is set to true to activate restrictions. If the property does not exist, the default is false.
    • When enabled, unauthenticated users cannot access image attachments unless explicitly allowed through the security allow-list or public KB article exceptions.
    • Misconfiguration or leaving the property false poses a medium security risk (CVSS score 6.5) by exposing images to unauthenticated users who have the URL.
    • Use the Security Allow/Deny List Entities table to manage specific tables’ access permissions for unauthenticated users effectively.

    Expected Outcomes

    By enabling this property and properly managing exceptions, ServiceNow customers enhance the security of image attachments by preventing unauthorized access and potential information leaks. This control supports compliance and data protection policies while maintaining appropriate access for authenticated users and authorized public content.

    Restrict unauthenticated access to image attachments using a system property.

    Use the glide.image_provider.security_enabled property restrict unauthenticated access to image attachments. If set to true, images are visible to any authenticated user but no unauthenticated user. If set to false, images are visible to anyone with a URL to the attachment. Thumbnails of an attached image maintain the same policy as the original attached image and are accessible to the same set of users as the original attached image. When this property is enabled, more fine grained access control for unauthenticated users is obtained through entries in the Security Allow/Deny List Entities [sys_security_restricted_list] table and through the declaration of public KB articles for those images attached to KB articles. These exceptions to the default policy for unauthenticated users when this property is true are applied in the following order.

    Note:
    In these exceptions, "parent table" refers to the table of the original image attachment from which a thumbnail is generated.
    1. If the table of an attached image or parent table of a thumbnail image is deny-listed in the Security Allow/Deny List Entities [sys_security_restricted_list] table, access is denied to the image/thumbnail.
    2. If the table of an attached image or parent table of a thumbnail image is allow-listed in the Security Allow/Deny List Entities [sys_security_restricted_list] table, access is granted to the image/thumbnail.
    3. If the table of an attached image or parent table of a thumbnail image is included in a public KB article, access is granted to the image/thumbnail.

    Ensure that the property glide.image_provider.security_enabled is set to true. If the property does not exist on the System Properties [sys_properties] table, the default value is false.

    More information

    Attribute Description
    Property name glide.image_provider.security_enabled
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Recommended value true
    Default value true
    Fallback value false
    Functional impact If the property was previously false and then is set to true, unauthenticated users can no longer be able to access image attachments unless explicitly allowed using one of the exclusion procedures.
    Security risk
    • Severity Score: 6.5
    • CVSS Rating: Medium
    • Security Risk Details:

      If the property is set to false, image attachments are visible to anyone authenticated or unauthenticated with a URL to the attachment. This may lead to sensitive information leaks. To avoid these, set the property to true and ensure any exceptions to the default policy when the property is true are properly configured.
    References Administering attachments

    Available system properties

    To learn more about adding or creating a system property, see Add a system property.