Module access policy visualization

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Module Access Policy Visualization

    Module access policy visualization provides a centralized UI page for Key Management Framework admins and cryptographic managers to access detailed cryptographic module information. This tool enables users to see all access control mechanisms associated with a cryptographic module, helping to identify who can access encrypted information on their instance.

    Show full answer Show less

    Key Features

    • Access Control Visibility: Users with the snkmf.admin or snkmf.cryptographicmanager roles can view access control policies by navigating to All > Key Management > Cryptographic Modules > All.
    • Result Field Labels: The UI displays labels based on the Result field, indicating access permissions such as "Track or Allow," "Reject," "StrictReject," or "N/A."
    • Global Policies: Review and manage platform-level access control policies, with options to add new policies if they do not exist.
    • Granular Policies: Access a categorized list of module access policies, with options to filter active policies based on scope, role, and resource exchange.
    • Users with Access: View a list of users who have access to the selected cryptographic module, grouped by user roles.

    Key Outcomes

    By utilizing module access policy visualization, ServiceNow customers can effectively manage and monitor access to cryptographic modules. This ensures compliance with security protocols and enhances the protection of sensitive information, ultimately leading to improved governance and risk management in cryptographic operations.

    Use module access policy visualization to view all relevant cryptographic module information on a single UI page.

    Module access policy visualization UI page

    Key Management Framework admins and cryptographic managers can use the module access policy UI page to view all access control mechanisms related to a single cryptographic module. Use the information collected on this UI page to determine who has access to encrypted information on your instance.

    Users with the sn_kmf.admin or sn_kmf.cryptographic_manager roles can access the module access policy visualization UI page by navigating to All > Key Management > Cryptographic Modules > All.

    Results Labels

    Module access policies contain a Result field, which determines whether to grant access to the selected cryptographic module. The UI page displays a label on elements on the UI page based on the value of that field.

    UI label Result field value Definition
    Track label Track or Allow Access is granted to all users, including scripts.
    Reject label Reject Access is denied unless a track module access policy is found.
    StrictReject label StrictReject Access is denied.
    Absent label N/A The module access policy doesn’t exist on the instance. Access is denied to all.

    Global policies

    Use the Global policies section to review the module access policies that control platform-level access.

    Select the Manage button below any of the policies to navigate to that policy record. If the policy doesn't exist, an Add button appears below that entry. Select the Add button to navigate to a new policy record where you can define the policy.

    		 Global policies section
    Policy Definition
    Default rule The default rule policy defines the behavior when no existing rule matches an access request.
    Platform backend The platform backend policy governs internal platform code access to cryptographic keys.
    Script engine The script engine policy governs whether the script engine is permitted to access cryptographic keys.
    System user The system user policy governs whether the system user is permitted to access cryptographic keys.

    Helpful resources

    Use the Helpful resources section to find links to product documentation, relevant knowledge articles, and a brief description on how module access policies are evaluated on the platform. For a deeper look into how module access policies are evaluated, see Module access policy debugger. Helpful resources section

    Granular policies

    Use the Granular policies section to view lists of module access policies, separated by policy type. Use the tabs above the list to select a policy category to display.

    • Role
    • Scope
    • Scope and Domain (if Domain Separation is active)
    • Script
    • Resource exchange (if the cryptographic module is a Password2 or Field Encryption submodule)
    • Identity (if Secrets Management Enterprise is active)

    By default, the each list displays only active policies. Use the filter icon to change the default filter for the list.

    		 Granular policies section

    Users with access

    Use the Users with access section to see a list of all users that have access to the selected cryptographic module. The list is grouped by user, as single users can posses multiple roles that grant access to a cryptographic module. Users with access section