Explore Zero Trust Access

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore Zero Trust Access

    Zero Trust Access (ZTA) is a security model that enforces strict access controls by assuming no user or device is trusted by default. Access to applications and data is granted on a least privilege basis, requiring identity verification and risk assessment for every session. This approach helps protect organizations against unauthorized access and data breaches, especially when users access resources from untrusted devices or locations.

    Show full answer Show less

    Key Features

    • Policy Based Session Access: Dynamically reduces user privileges during a web session based on factors such as IP address, location, authentication method, user role, group membership, multi-factor authentication (MFA) status, and Identity Provider (IDP) attributes.
    • Adaptive Authentication Policies: Enables security administrators to configure policies that adjust session privileges based on risk factors and IDP-provided attributes.
    • Role Restrictions: Core roles like sncinternal and sncexternal cannot be removed by Session Access. The feature adjusts session privileges without modifying role assignments or group memberships in the database.
    • Session Enforcement: Policy enforcement occurs only at login. Changes in risk parameters or network location during an active session do not affect session privileges until the user logs out and logs in again.
    • Mobile Support: Zero Trust Access policies can be applied to mobile sessions using adaptive authentication. Administrators can control session access via refresh tokens by enabling specific system properties and configuring refresh token intervals.

    Important Considerations

    • Session Access configurations require the securityadmin role.
    • Session Access does not support integrations.
    • If no reduced or limited role is assigned by policy, user privileges remain unchanged during login.
    • Scripts running in the system context bypass ZTA session role restrictions.
    • Switching between trusted networks and VPNs within a session does not trigger privilege changes.

    Use Cases

    • Reducing user privileges based on session risk, such as limiting a fulfiller role user accessing from outside a trusted network to requester privileges only.
    • Modifying access based on IDP attributes, for example, restricting access when a user logs in from an untrusted device.
    • Defining policies with multiple IP conditions and role or group assignments to finely control session privileges.

    Benefits for ServiceNow Customers

    Implementing Zero Trust Access enhances your organization's security posture by enforcing least privilege access dynamically during user sessions. It helps mitigate risks associated with high-privileged users accessing resources from untrusted environments and supports mobile session security. By leveraging adaptive authentication policies, security administrators can customize access controls to align with organizational risk tolerance and compliance requirements.

    Zero Trust Access (ZTA) is a security model that assumes that no user or device is trusted by default.

    ZTA ensures that all access to applications and data is granted on a least privilege basis, only after the user's identity verification and risk assessment.

    Zero Trust - Policy Based Session Access

    ServiceNow Zero Trust - Policy Based Session Access (Session Access) enables organizations to dynamically reduce user privilege in a web session based on a variety of factors, including IP address, location, authentication method, user’s role, group, user having MFA and attributes shared by the Identity Provider (IDP). This can help protect organizations from unauthorized access and data breaches, even when high-privileged users access applications from untrusted devices or locations.

    It enables the security admins to reduce or limit user access in a session based on IP address, location, Identity Provider attributes, and user attributes using adaptive authentication policies.

    Zero Trust Access and Adaptive Authentication
    Note:
    • Session Access configurations can only be performed with security_admin role. You must elevate your role to security_admin.
    • Session Access doesn’t support integrations.
    • Session Access has no impact if the reduced or limited role isn’t assigned to a user. In this case, there are no changes to the logged in session. The user continues to access the instance with the assigned privileges.
    • Session Access has no impact while the user is already logged in to the instance and simultaneously the admin configures the policy. The user has to log out from the session for the policy to be effective.
    • Session Access has no impact when the user is in a trusted network and later switches to a VPN (change in location or network) within a session.
    • Session Access is enforced at the time of login. Any change in risk parameters during the session won’t result in reduced access. For example, a user switching from the corporate network to an untrusted network after establishing the session won’t result in reduced access unless the user logs out and logs in again.
    • Session Access (Zero trust access - ZTA) feature, roles like snc_internal and snc_external cannot be removed.
    • Session Access (Zero trust access - ZTA) feature does not remove a role from the sys_user_has_role or the user group membership table. Based on the ZTA policy, it establishes the user session with reduced or limited roles.
    • The scripts running in the system context will not honor the ZTA session roles.

    Use case

    Following are some of the use cases of Zero Trust Access:

    • Reduce privileges based on the risk associated with the session. For example, a fulfiller role user logging from outside the trusted network can be configured to have only the requester role for the session.
    • Reduce access based on IDP response for a user session, if the user is using an untrusted device. For more information, see Configure Identity Provider attribute for Session Access.

    This role relegation ensures that the user doesn’t have any other existing privileges in a session. When the user is logging in from a trusted network, all the existing privileges are assigned for a session.

    Multiple IP conditions and multiple role or group assignments can be defined as part of the policy.

    Zero Trust Access - Mobile

    You can use the Zero Trust Access - Session Access policy within the Adaptive Authentication policy to reduce the roles or privileges of the particular session in mobile.

    Zero Trust Access - Session Access mobile can be enabled by enabling the glide.authenticate.session_access.mobile.enabled from the system properties table.

    To use Zero Trust Access - Session Access mobile with the IDP attributes you can configure the glide.authenticate.session_access.mobile.refresh_token_interval field. This enables the administrators to effectively control the session access based on refresh token.

    For more information, see Configure Zero Trust Access for mobile.