Module access policy debugger

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Module access policy debugger

    The Module Access Policy (MAP) Debugger in ServiceNow allows you to review detailed logging information to understand why users or scripts are granted or denied access to cryptographic modules. MAPs enforce instance-level access controls for encryption and decryption operations by requiring explicit permission for callers to use cryptographic modules.

    Show full answer Show less

    This debugger helps you trace the evaluation process of MAPs when a caller requests access and provides clear insights into the access decisions made by the system.

    Key Features

    • Access Control to Debug Logs: Access to MAP debug logs is restricted to users with the snkmf.admin and snkmf.cryptographicmanager roles by default. You can extend access by configuring the glide.kmf.moduleaccesspolicies.debugger.authorized.roles system property with additional roles.
    • Enable/Disable Debugger: Debug logging can be toggled via the Diagnostics > Session Debug menu by enabling or disabling Module Access Policies debugging. This allows you to control when detailed logging occurs to avoid unnecessary log noise.
    • Viewing Logs: After enabling debugging, perform actions that trigger MAP evaluations to see debug messages displayed at the bottom of the page. Logs show which policies were evaluated, the decision for each, and the overall access result.
    • Impersonation Support: To troubleshoot access issues for other users, use impersonation. Ensure MAPs targeting roles have the Impersonation field enabled to view logs from the perspective of the impersonated user.
    • Detailed Log Format: Logs display the cryptographic module requested, each MAP evaluated (with details like name, type, target, operation, and result), and the final policy decision with access granted or denied status. Message icons clearly indicate informational messages, grants, denials, and errors.

    Practical Use for ServiceNow Customers

    ServiceNow customers managing encryption and key management can leverage the MAP Debugger to precisely analyze access control issues related to cryptographic modules. This tool is essential for:

    • Identifying why specific users or scripts can or cannot access cryptographic functions
    • Ensuring that security policies are correctly enforced and troubleshooting access failures
    • Safely granting debug access to administrators and security personnel through controlled role assignments
    • Testing and validating module access policies during implementation or change management

    Ultimately, the debugger improves transparency and control over cryptographic module usage within your ServiceNow instance, supporting compliance and security best practices.

    Use the module access policy debugger to review logging information and understand why your users are or aren’t granted access to an encryption context.

    Module access policies (MAPs) define instance-level controls for access to cryptographic modules. Callers (for example, a user or script) require explicit access to use a cryptographic module for encryption and decryption. Use the debugger to see which policies are evaluated when a caller attempts to access a cryptographic module. You can also use the debugger and learn why access is or isn’t being granted.

    This flowchart shows how your instance evaluates requests for access to a cryptographic module.

    Flowchart showing the how access to cryptographic modules are evaluated

    Control access to the debug logs

    Access to the module access debug logs is determined by role. Users with the sn_kmf.admin and sn_kmf.cryptographic_manager roles have access to the debugger. Grant access to other roles using the glide.kmf.module_access_policies.debugger.authorized.roles system property. The value of this property is a comma-separated list of roles that access the debug logs.

    Enable or disable the debugger

    To enable debug logging messages for module access policies, navigate to All > Diagnostics > Session Debug > Debug Module Access Policies > .

    When you’re finished debugging, you can disable the logging messages by navigating to All > Diagnostics > Session Debug > Disable All > .

    Access the logs

    After enabling debugging, navigate to a page that triggers a MAP evaluation to view the MAP debug logs. Debug messages appear at the bottom of the page.
    Tip:
    You can use impersonation to troubleshoot access for other users. For details on impersonation, see Impersonating users. To view the debug logs from the perspective of another user, make sure that your module access policies with the role type have the Impersonation field set as true.
    Example debug output

    In this example, a caller invokes two access requests to the global.fuji cryptographic module. A symmetric encryption, which is granted, and a symmetric decryption, which was denied.

    Understanding log entries

    Debugging information is structured using this format.

    1. This first line displays the cryptographic module receiving the access request.
    2. The lines between the first and last line displays the evaluated MAPs in the order that they were evaluated, and includes their name, type, target, granular operation, and result.
    3. The last line displays the Policy Decision (if applicable) and the net access result for the caller (whether the caller is granted access).

    Each line starts with an icon that indicates its message type.

    Table 1. Message icons
    Icon Message type
    Informational icon Informational message
    MAP grant access icon Module access policy grants access
    MAP deny access icon Module access policy denies access
    Caller grant access icon Caller is granted access
    Caller deny access icon Caller is denied access
    No MAP icon No module access policy to evaluate

    Debug log examples

    Access granted message
    Debugging output for granted access
    Access denied message
    Debugging output for denied access
    Access denied (No module access policies to evaluate
    Debugging output for denied access due to no MAP policies
    Access denied (insufficient privileges)
    Debugging output for denied access due to insufficient privileges