Restrict Global App Development by Role [New in Security Center 2.0]

Zurich Platform security

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Restrict Global App Development by Role [New in Security Center 2.0]

Release version: Zurich

Updated July 31, 2025

1 minute to read

Use the sn_g_app_creator.allow_global property to control which users can create applications in the global scope using the Guided Application Creator.

If sn_g_app_creator.allow_global is set to the recommended value of false, users require the sn_g_app_creator.global role to create applications in the global scope. Conversely, if set to the insecure value of true, any user with the basic sn_g_app_creator.app_creator role can create global applications. Global applications lack scope protection, allowing developers access to extensive features and functions beyond specific scopes. Restricting global application development to users with the additional role adheres to the principle of least privilege.

Note:

This property does not come pre-configured in your instance. You must manually create and configure this property according to your organization's needs.

More information


Attribute	Description
Configuration name	sn_g_app_creator.allow_global
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	false
Default value	false
Category	Access control
Security risk	Severity score: 3.3 CVSS score: Low Security risk details: Failing to set this property to the recommended value could allow any user with the sn_g_app_creator.app_creator role to create global applications, which does not adhere to the principle of least privilege.
Dependencies and prerequisites	None
Functional impact	Enhanced the API (/api/now/templates) to validate the create global application ACL and property.