Contextual Security Manager

  • Release version: Zurich
  • Updated June 3, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Contextual Security Manager

    Contextual Security Manager enhances data protection in ServiceNow by controlling read, write, create, and delete authorizations with awareness of the system table hierarchy. It allows you to create specific, contextual security rules for fields based on their hierarchical location within the system, offering more precise and flexible security control than legacy methods.

    Show full answer Show less

    Key Features

    • Contextual Security: Secures records based on their content, enabling fine-grained access control.
    • Hierarchical Security: Applies security rules at any level within the object hierarchy, increasing granularity.
    • Field and Table Security via ACLs: Unlike the legacy Simple Security Manager that used roles on dictionary entries, Contextual Security Manager enforces security through ACL rules on fields and tables.
    • Role Management Changes: Roles are assigned through the Roles related list on users or groups rather than directly on the user record, reflecting the updated security model.
    • Application and Module Access: Roles required to access applications and modules remain defined via role arrays, ensuring controlled visibility.
    • Inherited Roles for Groups: Groups continue to inherit roles automatically when the inheritance flag is set, maintaining expected role propagation.
    • Security Attribute Conditions: Starting from the Vancouver release, ACLs support Security Attribute Conditions that evaluate user or session properties (like group membership or network location) for access decisions. These conditions can be local to an ACL or reusable across multiple ACLs.
    • Role Management Plugins: Contextual Security: Role Management and its V2 version handle role assignment and prevent duplicate role entries. V2 supports audit logging of role changes via a system property.

    Key Outcomes

    • Improved Security Precision: Enables you to secure data at a more granular level based on context and hierarchy, enhancing compliance and data protection.
    • Modernized Role Handling: Shifts role assignment practices to the Roles related list, aligning with the new security framework and improving manageability.
    • Streamlined Upgrades: Upgrading to Role Management V2 helps eliminate duplicate role entries and enables auditing for better role governance.
    • Flexible Access Controls: Security Attribute Conditions provide dynamic, context-aware access decisions beyond traditional role and condition checks.
    • Mandatory ACL Usage: After installing Contextual Security Manager, securing fields and tables requires ACLs. Legacy dictionary role assignments no longer affect access rights.

    Contextual Security Manager protects your data by controlling read, write, create, and delete authorization.

    Key advantages

    The Contextual Security Manager is aware of the system table hierarchy, enabling you to create specific security rules for a field based on where in the hierarchy it is displayed. Benefits of the Contextual Security Manager include:

    • Contextual security: Secure a record based on the contents of the record.
    • Hierarchical security: Apply security rules to any level in the object hierarchy.

    Securing fields and tables

    With the legacy Simple Security Manager, you could secure fields and tables by adding roles to the appropriate dictionary entry. With the Contextual Security Manager, these dictionary roles are no longer tested. Instead, the system looks for ACL rules on fields and tables.

    Warning:
    After you install the Contextual Security Manager, you must secure fields and tables via ACL rules. Even if you Configuring the form layout the dictionary form and add roles to a dictionary entry, no change in rights occurs.

    Contextual security and roles

    You can grant roles to users or groups. However, after installing the Contextual Security Manager, the roles field on the user record is no longer checked and no longer appears on your user and group forms. Instead, you must add roles to the Roles related list instead of to the user or group record.

    Applications and modules contain lists of the roles required to view them. For example, to view the System Definition application, the admin role is required. Security rights for applications and modules are still defined using role arrays.

    Both catalog items and catalog variables contain lists of the roles required to view them. Security rights for catalog items and catalog variables are still defined via these role arrays.

    Under the Contextual Security Manager, a group still automatically inherits any role granted to the group when the inherits flag for the role is set to true.

    Activating the Contextual Security Manager

    The Contextual Security Manager is active in the base system. If there are many duplicate entries in the User Roles table, you may need to upgrade to Contextual Security: Role Management V2 to eliminate duplicate roles. Plugins include:

    Contextual Security: Role Management [com.glide.role_management]
    Provides contextual security functionality. This plugin is automatically installed.
    Contextual Security: Role Management V2 [com.glide.role_management.inh_count]
    Prevents duplicate entries caused by inherited roles in the User Roles [sys_user_has_role] table. This plugin is automatically installed on new instances and can be activated for upgrades. The Contextual Security: Role Management Enhancements plugin is a previous version of this plugin. The Role Management Enhancements plugin does not include the RoleManagementVerify() script. This script returns a list of changes that an upgrade will perform, enabling you to monitor changes made by the plugin.
    Note:
    After activating Role Management V2, you must set the glide.role_management.v2.audit_roles system property to allow the Audit Roles table to create audit records related to user roles. To learn more about setting this property and about the Audit Roles table, see:

    Security Attribute Conditions

    Starting with the Vancouver release, ACL rules support a Security Attribute Condition type in addition to the standard role, condition, and script fields. Security Attribute Conditions evaluate properties of the current user or session, such as group membership, authentication state, or network location, to determine whether access is granted.

    Security Attribute Conditions can be defined as local or existing:

    Local
    The condition is saved only to the ACL where it is created. Conditions default to local.
    Existing
    The condition references a Security Attribute condition already defined on another ACL, enabling reuse across multiple rules.

    For a complete list of built-in security attribute types and configuration details, see Security Attributes fundamentals and Security Attribute Scope.