Exploring Secrets Management

Release version: Australia

Updated March 12, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Exploring Secrets Management

ServiceNow Secrets Management enables granular control over access to passwords and other digital credentials tailored to your business requirements. Administrators with the appropriate roles can manage secrets securely, organizing them into groups with defined access policies. Secrets Management is available in two versions: Core and Enterprise, each catering to different levels of functionality and security needs.

Show full answer Show less

Key Features

Two Versions:
- Core: Available by default at no extra cost, allowing the use of secret groups with criteria on standard ServiceNow tables.
- Enterprise: Available with a ServiceNow Vault license and activated by ServiceNow support; offers advanced granular access controls based on scope, package, table, column, and record criteria, client-accessible secrets encrypted with customer-managed keys, and a Secrets Management Dashboard for monitoring.
Secret Groups: Secrets can be organized into groups for easier management and policy application. Groups can be:
- Basic: Apply to all secrets within a scope.
- With Criteria: Further refine included secrets based on application scope, package, table, column, or record filters.
Access Types:
- Instance-side: Secrets decrypted by the ServiceNow instance.
- Client-side: Secrets encrypted with a public key on the instance and decrypted only by the client's private key (stored securely on the MID Server), enhancing security by preventing ServiceNow from accessing the decrypted secrets.
Granular Access Controls: Unlike Password2, Secrets Management allows restricting access to secrets based on defined criteria within application scopes, improving security and compliance.
Module Access Policies: These policies control how cryptographic modules and secrets are accessed at the instance level, including constraints like validity periods for keys.
Secure Storage: Client-side secrets use an encryption scheme where ServiceNow does not store encryption keys, enhancing data security by eliminating dependency on ServiceNow’s security.
Integration with ServiceNow Features: Secrets Management supports secure authentication for IT Operations Management (ITOM) Discovery processes and Integration Hub API connections, facilitating secure and scalable automation.
Tables and Data Model: Secrets Management introduces new and modified tables to manage secret groups, criteria, wrapped secrets, identity groups, cryptographic keys, and policies, enabling structured and secure credential management.

Practical Implications for ServiceNow Customers

By implementing Secrets Management, customers can enhance cybersecurity by centrally managing digital credentials with fine-grained access control, minimizing risks associated with password and key exposure. The solution supports secure automation workflows and discovery processes requiring authentication, ensuring operational continuity and compliance.

Customers should assess their needs to choose between the Core and Enterprise versions. Enterprise is suitable for organizations requiring advanced access controls and client-side encryption with customer-controlled keys. Administrators must have appropriate roles to configure and view Secrets Management modules and records.

Using Secrets Management, customers can establish consistent secrets lifecycle policies, improving security posture and operational efficiency across their ServiceNow environment.

Use ServiceNow Secrets Management for granular management of access to your passwords to fit your business needs.

Important:

Admins must have the role to see modules and records related to Secrets Management. For secrets management role information, see Secrets Management roles.

Select from Core and Enterprise versions of Secrets Management

Choose from Secrets Management Core and Secrets Management Enterprise depending on your business needs.

The Secrets Management Core plugin (com.glide.sm.core) is available by default. No installation is required on the instance to use this plugin. The Secrets Management Enterprise plugin is only available with a ServiceNow Vault v1, PROD18537 license. Contact Customer Support for assistance with the Secrets Management Enterprise plugin.


Secrets Management Core	Secrets Management Enterprise
Secrets Management Core is available by default to install on your instance at no additional cost. The plugin provides the ability to use secrets groups with criteria in non-custom tables provided in the ServiceNow platform that have been created by ServiceNow application engineering teams.	Secrets Management Enterprise includes additional functions to help admins create and manage secrets groups. Enterprise provides the following features in addition to the features listed in Core. Use granular access controls to create secrets groups based on any of these criteria: Scope Package Table Column Record Create client-accessible secrets that are encrypted using your own key which ServiceNow can’t access. Use the Secrets Management Dashboard to review the secret groups configured on your instance and learn about potential security issues. Note: Secrets Management Enterprise is a paid plugin that ServiceNow personnel must activate on your production instance.

Use secret groups to organize your secrets

Use Secrets Management to organize your secrets into groups. Then, apply access policies to those secrets at a group level.

Basic secret group

These groups apply to all secrets in a scope. These secrets are decrypted by a common cryptographic module and module access policies (MAPs).

Secret group with criteria

Secret groups with criteria function the same as a basic secret group, but further refine what is included using criteria. These criteria include:

Application scope
Package
Table
Secret column
Filter record

Secret groups of either type can be made instance accessible or client accessible.

Instance-side secret groups: Instance-side secret groups contain secrets that can be decrypted by your instance.
Client-side secret groups: Client-side secrets groups use a public/private key pair so that secrets can only be decrypted by the client. When you create a client-accessible secrets group, you upload the public key to the instance and retain the private key on your MID Server. The instance uses the public key to encrypt your secrets, but they can only be decrypted using the private key.

Note:

For more information on these group types, see About client-side Secrets Management.

Use secrets groups for more granular control

While Password2 is available on the ServiceNow platform, Secrets Management provides these additional features.


Granular access controls	Password2 With Password2, admins can control access to an application scope but can’t restrict access to elements within the scope. Secrets Management With Secrets Management, admins can restrict access based on criteria they define. Criteria types can be based on criteria such as package, table, or column.
Secure storage	For client-side secret groups, Secrets Management uses a new encryption scheme. In this encryption scheme, ServiceNow doesn’t save the encryption key. For this reason, the security of your data doesn’t depend on ServiceNow's security.

Apply module access policies to your groups

After you’ve grouped your secrets into a secret group, you can apply policies that determine how you can access them at a group level. Module access policies are the access control mechanisms that you apply to cryptographic modules to define instance-level controls, such as a validity time frame for the cryptographic key. For more information on module access policies, see Module access policy overview.

Tables installed with Secrets Management

Secrets Management adds or modifies these tables.


New tables
[sn_sm_secret_group]	Stores secret groups
[sn_sm_secret_group_criteria]	Stores criteria secret groups
[sn_sm_secret]	Stores wrapped secrets
[sn_sm_identity_group]	Defines the identity group for mapping a group of identities to the public key
[sys_kmf_wrapped_module_key]	Stores the wrapped symmetric cryptographic keys
Modified Tables
[sys_kmf_crypto_module]	Added cryptographic module type (identity cryptographic module or secret group cryptographic module)
[sys_kmf_module_key]	Stores conceptual secret encryption key (with no key material) Stores the identity public key
[sys_kmf_crypto_caller_policy]	Added new module access policy type

Secrets Management use case examples

Help ensure secure ITOM Discovery

This infographic shows a simplified reference architecture of how ServiceNow IT Operations Management (ITOM) Discovery can be deployed by your organization. As shown in the infographic, multiple Windows and Linux servers connect to the Management, Instrumentation, and Discovery (MID) Server and several MID Server agents enable the discovery process to update the Configuration Management Database (CMDB). Every MID Server transaction requires a secure authentication, so managing the authentication credentials is critical from a security perspective.

Architecture showing how ServiceNow IT Operations Management (ITOM) Discovery can be deployed

Accelerating workflow connectivity with Integration Hub securely

Use ServiceNow's Integration Hub to connect to different systems using automated application programming interface (APIs). Each time Integration Hub connects to a system using an API, an authentication credential is required to establish connectivity. Management of a multitude of applications and APIs for connectivity is made easier by using a secrets management solution.

Secrets Management is a key part of ensuring your organization’s cybersecurity. It covers all processes and tools related to the creation, storage, transmission, and management of digital credentials such as encryption keys, API tokens, and passwords. To manage secrets both securely and effectively, you can build a core secrets management policy that establishes standard rules and procedures for all phases of a secret’s lifecycle.