Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

    Theglide.script.secure.ajaxgliderecordsystem property enforces Access Control List (ACL) validation on server-side records accessed via GlideAjax APIs from client scripts. This ensures users can only query data they are authorized to view or manipulate. Without this enforcement, sensitive data might be exposed through client-side GlideAjax calls, bypassing normal ACL protections.

    Show full answer Show less

    This property is a safe harbor, meaning once enabled, it cannot be reverted or disabled, emphasizing its importance in maintaining data security.

    Key Features

    • ACL Enforcement on GlideAjax Calls: Validates access rights for data requests made through AJAXGlideRecord APIs, preventing unauthorized data access from client scripts.
    • GlideRecordSecure Recommendation: Encourages use of GlideRecordSecure instead of GlideRecord for stricter, out-of-the-box ACL enforcement on server-side data queries.
    • Security Risk Mitigation: Addresses a high-risk scenario where client scripts could otherwise retrieve unauthorized data, improving overall system security.
    • Non-Revertible Setting: Once set to true, the property cannot be changed back, ensuring consistent enforcement of ACL checks.

    Practical Implications for ServiceNow Customers

    • Enabling this property helps secure client-side GlideAjax data access by enforcing ACLs, reducing risk of data leaks or unauthorized queries.
    • Proper ACLs must be configured on script includes, processors, and related components used by GlideAjax to ensure correct authorization.
    • Developers should implement authorization methods such as canRead(), canWrite(), canCreate(), and canDelete() in scripts to maintain secure access control.
    • Using GlideRecordSecure is recommended for server-side queries to automatically enforce ACLs, offering a more secure alternative to GlideRecord.

    Next Steps

    • Verify your ACL configurations on tables and script includes involved in GlideAjax calls to avoid functional disruptions after enabling this property.
    • Audit client-side GlideRecord (AJAXGlideRecord) transactions to identify any unauthorized access attempts.
    • Review ServiceNow documentation on adding system properties and securing client-originated scripts to support secure implementation.

    Use the glide.script.secure.ajaxgliderecord property to perform access control rule (ACL) validation when server-side records, such as tables, are accessed using GlideAjax APIs within a client script.

    From client scripts, it is possible to query arbitrary data from the server using the AJAXGlideRecord (GlideAjax - Client) API, by using a syntax such as a server-side glide record. It is a powerful and useful tool in many deployments.

    If you choose to apply Access Control Lists (ACL) to GlideAjax API calls, you can only query data to which the currently connected user has access. For example, if an ESS user who has no rights to read the cmn_location table is logged in, any GlideAjax API call to that table would fail.

    If the ServiceNow AI Platform is running without GlideAjax ACL call checking, an API can return information that the currently logged in user could not otherwise access.

    Use GlideRecordSecure when querying data to ensure the highest level of security. GlideRecord relies on ACL enforcement through configurations whereas GlideRecordSecure applies stricter security controls. GlideRecordSecure offers a more secure, out-of-the-box solution for handling sensitive data.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.script.secure.ajaxgliderecord
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Purpose Ensure security ACLs are checked and validated even when the records are accessed through Client Side APIs.
    Recommended value true
    Default value true
    Security risk rating 8.1
    Functional impact This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact. For more details on its impact, and how to identify it, see Refer to the Audit and review client-side GlideRecord (AJAXGlideRecord) transactions [KB0550828] article in the HI Knowledge Base .
    Security risk (High) Through client scripts, it is possible to query arbitrary data from the server through the GlideAjax API. Server-side resources can be accessed without proper authorization, so using ACL validation helps the application validate the request based on the configured authorization.
    Workaround

    Ensure that proper ACLs are created for script includes, processors, and other entities used by a GlideAjax (AJAXGlideRecord) API so that it executes under proper authorization.

    Implement methods like canRead (), canWrite(), canCreate (), and canDelete () to perform user authorization before accessing table records using GlideRecord.

    Another method is to use GlideRecordSecure. The class is inherited from the GlideRecord Server that performs the same functions as GlideRecord, and also enforces ACLs.
    References Apply ACLs to AJAXGlideRecord (client-side Glide record)

    This property belongs to the same family of properties that secure and restrict execution of scripts originating from the client, such as glide.script.allow.ajaxevaluate. For more information, see Enable AJAXEvaluate.

    To learn more about adding or creating a system property, see Add a system property.