Enabling AJAXGlideRecord ACL checking (instance security hardening)
Summarize
Summary of Enabling AJAXGlideRecord ACL Checking (Instance Security Hardening)
The glide.script.secure.ajaxgliderecord property enhances security by enforcing Access Control List (ACL) validation for server-side records accessed via GlideAjax APIs in client scripts. This ensures that users can only query data they are authorized to access, thereby preventing unauthorized data exposure.
Show less
Key Features
- Property Name: glide.script.secure.ajaxgliderecord
- Configuration Type: System Properties
- Recommended Value: true
- Functional Impact: Ensures security ACLs are checked when accessing server-side records through AJAXGlideRecord API calls.
- Security Risk: High - Without proper ACL validation, unauthorized access to server-side resources is possible.
Key Outcomes
By enabling this property, ServiceNow customers can ensure that all AJAXGlideRecord API calls are validated against the configured ACLs, enhancing the overall security of their instance. Customers are advised to create appropriate ACLs for all entities used in GlideAjax to maintain authorization integrity. Additionally, methods such as canRead(), canWrite(), and GlideRecordSecure can be utilized for better authorization management.
Use the glide.script.secure.ajaxgliderecord property to perform access control rule (ACL) validation when server-side records, such as tables, are accessed using GlideAjax APIs within a client script.
From client scripts, it is possible to query arbitrary data from the server using the AJAXGlideRecord (GlideAjax - Client) API, by using a syntax such as a server-side glide record. It is a powerful and useful tool in many deployments.
If you choose to apply, Access Control Lists (ACL) to GlideAjax API calls, you can only query data to which the currently connected user has access. For example, if an ESS user who has no rights to read the cmn_location table is logged in, any GlideAjax API call to that table would fail.
If the ServiceNow AI Platform is running without GlideAjax ACL call checking, an API can return information that the currently logged in user could not otherwise access.
More information
| Attribute | Description |
|---|---|
| Property name | glide.script.secure.ajaxgliderecord |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | Ensure security ACLs are checked and validated even when the records are accessed through Client Side APIs. |
| Recommended value | true |
| Functional Impact | This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact. For more details on its impact, and how to identify it, see Refer to the Audit and review client-side GlideRecord (AJAXGlideRecord) transactions [KB0550828] article in the HI Knowledge Base . |
| Security risk | (High) Through client scripts, it is possible to query arbitrary data from the server through the GlideAjax API. Server-side resources can be accessed without proper authorization, so using ACL validation helps the application validate the request based on the configured authorization. |
| Workaround | Ensure that proper ACLs are created for script includes, processors, and other entities used by a GlideAjax (AJAXGlideRecord) API so that it executes under proper authorization. Implement methods like Another method is to use GlideRecordSecure. The class is inherited from the GlideRecord Server that performs the same functions as GlideRecord, and also enforces ACLs. |
| References | Apply ACLs to AJAXGlideRecord (client-side Glide record)
This property belongs to the
same family of properties that secure and restrict execution of scripts
originating from the client:
|
To learn more about adding or creating a system property, see Add a system property.