Default deny (instance security hardening)
Use the glide.sm.default_mode property to control the default behavior of security manager when it finds that existing ACL rules are a part of wildcard table ACL rules.
When the High Security Settings (com.glide.high_security) plugin is
activated during initial instance installation, it creates this property, and wildcard ACL
rules come into existence. To provide role-based access to system tables, these rules
control a significant number of ACLs and most common record-based operations:
- Read
- Write
- Create
- Delete
Unless you use the High Security plugin with default deny option enabled, many tables are not protected. The ServiceNow AI Platform uses a default deny security model that prevents non-administrator users from accessing objects unless they meet a matching ACL rule. Using this model, it removes many attack vectors, such as insecure scripts.
More information
| Attribute | Description |
|---|---|
| Property name | glide.sm.default_mode |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | Best security practice would be to restrict an Access to the tables by an
unauthorized user.
|
| Recommended value | deny |
| Functional Impact | If you set this property to Allow, the wildcard
table ACL rules allow CRUD operations on all tables unless there are specific table
ACL rules in place to restrict such operations. Note: This plugin is not intended
for existing instances, as it might modify security access to tables that are
already in use in a production environment. |
| Security risk | (High) Non-administrator users can access objects that match the wildcard table ACL rules. |
| References | Default deny property |
To learn more about adding or creating a system property, see Add a system property.