Enhanced Access Control for Operational Technology

  • Release version: Zurich
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enhanced Access Control for Operational Technology

    Enhanced Access Control for Operational Technology (OT) introduces advanced security features including data filters, deny unless access control rules (ACLs), and ACL query rules. These components help ServiceNow customers secure OT data, prevent misconfigurations, and enforce strict access policies within the Configuration Management Database (CMDB) and related OT records.

    Show full answer Show less

    Key Features

    • Data Filters: Control access at the query level to restrict data visibility.
    • Deny Unless ACLs: Enforce access denial unless specific conditions are met, ensuring tighter security boundaries.
    • ACL Query Rules: Implement exact and range query operations to precisely control query privileges on OT data.
    • IT and OT Separation: Non-OT users cannot view OT devices in CMDB tables. Access to OT configuration items (CIs) is limited to users with assigned OT roles.
    • Site-Based Access: Access to OT devices is further restricted based on site assignments using Can Read and Can Edit user criteria, ensuring users only interact with OT data relevant to their designated sites.

    Key Outcomes

    • Role-Based OT Access:
      • cmdbotviewer: Provides read-only access to OT device records.
      • cmdboteditor: Allows create, read, update, and delete actions on OT extension classes but restricts editing or deleting IT CIs and certain related list fields.
    • Site-Based Permissions:
      • Users with cmdbotviewer role and Can Read access can view OT devices only at designated sites.
      • Users with cmdboteditor role require Can Edit access to modify OT devices at specific sites; otherwise, they have read-only access.
    • Related Record Restrictions: Access to OT-related CMDB CI tables such as IP Address, Network Adapter, and Serial Number is limited to users with OT roles and adheres to the same site-based access controls.
    • Enhanced Security Enforcement: These controls help ServiceNow customers maintain IT and OT separation, limit data exposure, and ensure users have appropriate access aligned with their roles and site responsibilities.

    Enhanced Access Control for Operational Technology (Operational Technology) implements data filters, deny unless access control rules (ACLs), and ACL query rules to help promote system security.

    Enhanced Access Control overview

    Enhanced Access Control provides the following components to provide access control configurations for your data to help avoid misconfiguration and security issues.
    Data filers
    Ability to control access at the query level.
    Deny Unless ACLs
    Ability to deny access to data unless the specific conditions are met.
    ACL Query Rules
    Exact query and range query ACL operations to control query privileges.

    Enhanced Access Control for OT

    Deny Unless ACLs help enforce IT and OT separation and site-based access.

    IT and OT separation
    Non-OT users can't view OT devices in Configuration Management Database (CMDB) tables. If a device is classified as an OT CI, only users assigned the cmdb_ot_viewer role or the cmdb_ot_editor role can access it. The following table describes each role.
    Table 1. OT roles to view OT CIs
    Role Description
    OT Viewer [cmdb_ot_viewer] Read-only access to OT device records.
    OT Editor [cmdb_ot_editor] Create, read, update, and delete access for Operation Technology (OT) extension classes.
    Note:
    Users assigned the cmdb_ot_editor role can edit and delete only OT configuration items (CIs), and can't edit IT CIs.
    There are also restrictions on OT users who can edit or delete IT configuration items (CIs). Users assigned the cmdb_ot_editor role or the cmdb_ot_admin role can’t edit or delete IT CIs in the following related lists:
    • IP Address
    • Network Adapter
    • Storage Device
    • File System
    • Memory Module
    • Patch = CI Field
    • Package = CI Field
    • Managed Network
    Site-based access

    Site-based access specifies which users can view, edit, and delete OT devices for a designated site. You can assign site-based access to users by using Can Read or Can Edit user criteria. For more information about assigned Can Read access, see Assign the user criteria for Can Read access to a site. For more information about assigning Can Edit access, see Assign the user criteria for Can Edit access to a site.

    The following table describes the site-based access for users assigned the cmdb_ot_viewer role or the cmdb_ot_editor role.
    Table 2. Site-based access for OT roles
    Role Site-based permission
    cmdb_ot_viewer With Can Read access, users assigned the cmdb_ot_viewer role can only view OT devices for a designated site.

    For example, if you're assigned the cmdb_ot_viewer role and have Can Read access to the Atlanta site, then you can only view the site's OT devices. You can't edit or delete the OT devices associated with Atlanta.
    cmdb_ot_editor To edit OT devices, users with the cmdb_ot_editor role should be assigned Can Edit access for the site, or sites they belong to.

    For example, if you're assigned the cmdb_ot_editor role but only have Can Read access to the Atlanta site, you can only view the devices associated with Atlanta. If you're assigned the cmdb_ot_editor role and have Can Edit access to the San Diego site, you can edit or delete the devices associated with San Diego.

    Enhanced Access Control for OT CMDB CI related record tables

    Non-OT users can't view OT devices in the following related record OT-related CMDB CI related record tables:
    • IP Address [cmdb_ci_ip_address]
    • Network Adapter [cmdb_ci_network_adapter]
    • Serial Number [cmdb_serial_number]
    If a related record is an OT device, only users assigned the cmdb_ot_viewer role or the cmdb_ot_editor can view or edit the OT device respectively.

    Related records also adhere to site-based access restrictions. With Can Read access, users assigned the cmdb_ot_viewer role can only view the OT-related CMDB CI records for a designated site. Users with the cmdb_ot_editor role must be assigned Can Edit access for a site to edit or delete the OT-related CMDB CI records of the designated site.