Access Controls Auditor checks

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access Controls Auditor checks

    The Access Controls Auditor in ServiceNow Yokohama release helps you evaluate and enhance the security of your instance by auditing Access Control List (ACL) rules. ACLs restrict data access by enforcing specific criteria users must meet before interacting with data. This auditor performs checks against eight key security criteria to identify potential vulnerabilities or misconfigurations.

    Show full answer Show less

    Key Features

    • Protection of SCRIPT Processors with CSRF Tokens: Ensures all script-type processors require Cross-site Request Forgery (CSRF) tokens to prevent unauthorized execution.
    • Knowledge Base Contribution Criteria: Verifies that each knowledge base defines user criteria for "Can Contribute" or "Cannot Contribute" to control who can add content.
    • Detection of Empty ACLs: Identifies ACL records lacking security attributes or roles, including those assigned to the public role, which can lead to open access.
    • ACLs on Client-Callable Script Includes: Confirms that client-callable script includes are protected by ACLs with required roles to prevent unauthorized usage.
    • ACLs on UI Pages: Checks that UI Pages have ACLs to restrict access and prevent unauthorized modifications by logged-in users.
    • ACLs on Tables: Ensures tables have ACLs restricting data access only to authorized users.
    • User Role Assignments: Detects users assigned both internal and external roles, which should be mutually exclusive to maintain clear access boundaries.
    • Public Access to Knowledge Bases and Articles: Flags knowledge bases and articles that are publicly accessible, recommending audience-specific restrictions to enhance security.

    Key Outcomes

    By leveraging the Access Controls Auditor checks, ServiceNow customers can:

    • Identify and remediate ACL weaknesses or misconfigurations that could expose sensitive data or enable unauthorized actions.
    • Ensure proper use of security tokens and role-based access controls to protect scripts, UI components, and data tables.
    • Maintain clear separation of internal and external user roles to uphold security policies.
    • Control knowledge base content contribution and visibility, limiting access to appropriate audiences.
    • Improve overall instance security posture by systematically applying best practices for access control enforcement.

    Learn about the checks available in the default Access Controls Auditor Suites, what criteria they evaluate, and how they can be used to improve the security of your instance.

    Access Control List rules (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. Access Controls Auditor checks evaluate your instance according to the eight criteria listed in the following table. Use the findings on these checks to improve the security of your instance.
    Table 1. Access Controls Auditor checks
    Check Name Check Criteria Description
    All Processors of type - SCRIPT must be protected with CSRF Token Checks for Processors with the SCRIPT type that aren’t protected with a CSRF token. All Processors with the SCRIPT type should be protected with a Cross-site Request Forgery (CSRF) token. These processors should have the CSRF option checked, which prohibits the processor from running unless the instance uses a CSRF token.
    Can Contribute / Cannot Contribute user criteria to be defined on each knowledge Checks for knowledge base records that don’t have Can Contribute or Cannot Contribute user criteria defined. Each knowledge base should have either Can Contribute or Cannot Contribute user criteria defined. Otherwise, any user can contribute content to a knowledge base with no Contribute criteria defined.
    Empty ACLs Checks for Access Control List (ACL) records that have no security attribute, no role, or the public role. Leaving ACLs empty or using the public role may provide open access to any content protected by this ACL.
    Access Controls on Client callable Script Includes Checks for client-callable script includes that aren’t secured by ACLs. All client callable script includes should be secured with an ACL using required roles.
    Access controls on UI Pages Checks for UI Pages that aren’t secured by ACLs Without an ACL securing access to a UI Page, that UI Page is accessible to all logged-in internal users. Without any restrictions logged-in users can potentially make unauthorized changes.
    Access controls on Tables Checks for tables without ACLs Tables should be secured with ACLs. Access to data stored in tables should be limited only to users that need it.
    User Account shouldn’t have both Internal and External roles Checks for user records with both Internal and External roles assigned Internal user roles are intended for users within your company. External user roles are intended for external personnel, such as customers and partners.
    Publicly accessible knowledge base and articles Checks for publicly accessible knowledge bases and knowledge base articles Publicly accessible knowledge bases and articles are visible to all users in the instance. Increase security by limiting knowledge bases and articles to the specific audience that needs them.