Module access policy visualization

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Module Access Policy Visualization

    Module access policy visualization provides a centralized UI page for Key Management Framework admins and cryptographic managers to view all access control mechanisms related to a cryptographic module. It enables users to determine access to encrypted information within their instance.

    Show full answer Show less

    Key Features

    • Access Control Visibility: Users with the snkmf.admin or snkmf.cryptographicmanager roles can access the UI page through All > Key Management > Cryptographic Modules > All.
    • Result Field: Displays access status with labels such as:
      • Track or Allow Access: Grants access to all users.
      • Reject Access: Denies access unless a track module policy is present.
      • Strict Reject: Denies all access.
      • N/A: Indicates no existing module access policy.
    • Global Policies: Review platform-level access policies with options to manage or create new policies.
    • Granular Policies: View lists of module access policies organized by type and filter active policies.
    • Users with Access: Lists all users with access to the selected cryptographic module, grouped by user.

    Key Outcomes

    Utilizing the module access policy visualization allows customers to effectively manage and evaluate access to cryptographic modules, ensuring that only authorized users can access sensitive information. This enhances security and compliance within their ServiceNow environment.

    Use module access policy visualization to view all relevant cryptographic module information on a single UI page.

    Module access policy visualization UI page

    Key Management Framework admins and cryptographic managers can use the module access policy UI page to view all access control mechanisms related to a single cryptographic module. Use the information collected on this UI page to determine who has access to encrypted information on your instance.

    Users with the sn_kmf.admin or sn_kmf.cryptographic_manager roles can access the module access policy visualization UI page by navigating to All > Key Management > Cryptographic Modules > All.

    Results Labels

    Module access policies contain a Result field, which determines whether to grant access to the selected cryptographic module. The UI page displays a label on elements on the UI page based on the value of that field.

    UI label Result field value Definition
    Track label Track or Allow Access is granted to all users, including scripts.
    Reject label Reject Access is denied unless a track module access policy is found.
    StrictReject label StrictReject Access is denied.
    Absent label N/A The module access policy doesn’t exist on the instance. Access is denied to all.

    Global policies

    Use the Global policies section to review the module access policies that control platform-level access.

    Select the Manage button below any of the policies to navigate to that policy record. If the policy doesn't exist, an Add button appears below that entry. Select the Add button to navigate to a new policy record where you can define the policy.

    		 Global policies section
    Policy Definition
    Default rule The default rule policy defines the behavior when no existing rule matches an access request.
    Platform backend The platform backend policy governs internal platform code access to cryptographic keys.
    Script engine The script engine policy governs whether the script engine is permitted to access cryptographic keys.
    System user The system user policy governs whether the system user is permitted to access cryptographic keys.

    Helpful resources

    Use the Helpful resources section to find links to product documentation, relevant knowledge articles, and a brief description on how module access policies are evaluated on the platform. For a deeper look into how module access policies are evaluated, see Module access policy debugger. Helpful resources section

    Granular policies

    Use the Granular policies section to view lists of module access policies, separated by policy type. Use the tabs above the list to select a policy category to display.

    • Role
    • Scope
    • Scope and Domain (if Domain Separation is active)
    • Script
    • Resource exchange (if the cryptographic module is a Password2 or Field Encryption submodule)
    • Identity (if Secrets Management Enterprise is active)

    By default, the each list displays only active policies. Use the filter icon to change the default filter for the list.

    		 Granular policies section

    Users with access

    Use the Users with access section to see a list of all users that have access to the selected cryptographic module. The list is grouped by user, as single users can posses multiple roles that grant access to a cryptographic module. Users with access section