Access Controls Auditor checks

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access Controls Auditor checks

    The Access Controls Auditor checks help ServiceNow customers evaluate and enhance the security of their instances by reviewing Access Control List (ACL) rules. ACLs regulate user access to data by enforcing specific requirements. This auditor tool assesses eight key security criteria to identify potential vulnerabilities and recommend improvements.

    Show full answer Show less

    Key Features

    • CSRF Protection on SCRIPT Processors: Verifies that all processors of type SCRIPT are protected with Cross-site Request Forgery (CSRF) tokens, ensuring they cannot run without valid CSRF tokens.
    • Knowledge Base Contribution Criteria: Checks that each knowledge base has defined "Can Contribute" or "Cannot Contribute" user criteria to control who can add content, preventing unrestricted contributions.
    • Empty ACLs: Identifies ACL records without security attributes, roles, or those assigned the public role, which may unintentionally open access to protected content.
    • ACLs on Client-Callable Script Includes: Ensures client-callable script includes are secured with ACLs requiring specific roles to restrict unauthorized access.
    • ACLs on UI Pages: Detects UI Pages lacking ACL protection, which would otherwise be accessible by any logged-in internal user, risking unauthorized changes.
    • ACLs on Tables: Checks that tables have ACLs in place to restrict data access only to authorized users.
    • User Role Assignments: Flags user accounts assigned both Internal and External roles, which should be mutually exclusive to maintain proper user segregation.
    • Publicly Accessible Knowledge Bases and Articles: Identifies knowledge bases and articles accessible to all users, recommending audience restrictions to enhance security.

    Key Outcomes

    By utilizing the Access Controls Auditor checks, ServiceNow customers can:

    • Identify and remediate ACLs that may expose sensitive data or functionality.
    • Enforce best practices for securing script processors and UI components.
    • Define appropriate contribution criteria for knowledge bases to prevent unauthorized content changes.
    • Maintain clear separation between internal and external user roles.
    • Limit knowledge base visibility to intended audiences, reducing risk of data exposure.

    Overall, these checks enable customers to proactively tighten their instance security, helping prevent unauthorized access and maintain compliance with organizational policies.

    Learn about the checks available in the default Access Controls Auditor Suites, what criteria they evaluate, and how they can be used to improve the security of your instance.

    Access Control List rules (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. Access Controls Auditor checks evaluate your instance according to the eight criteria listed in the following table. Use the findings on these checks to improve the security of your instance.
    Table 1. Access Controls Auditor checks
    Check Name Check Criteria Description
    All Processors of type - SCRIPT must be protected with CSRF Token Checks for Processors with the SCRIPT type that aren’t protected with a CSRF token. All Processors with the SCRIPT type should be protected with a Cross-site Request Forgery (CSRF) token. These processors should have the CSRF option checked, which prohibits the processor from running unless the instance uses a CSRF token.
    Can Contribute / Cannot Contribute user criteria to be defined on each knowledge Checks for knowledge base records that don’t have Can Contribute or Cannot Contribute user criteria defined. Each knowledge base should have either Can Contribute or Cannot Contribute user criteria defined. Otherwise, any user can contribute content to a knowledge base with no Contribute criteria defined.
    Empty ACLs Checks for Access Control List (ACL) records that have no security attribute, no role, or the public role. Leaving ACLs empty or using the public role may provide open access to any content protected by this ACL.
    Access Controls on Client callable Script Includes Checks for client-callable script includes that aren’t secured by ACLs. All client callable script includes should be secured with an ACL using required roles.
    Access controls on UI Pages Checks for UI Pages that aren’t secured by ACLs Without an ACL securing access to a UI Page, that UI Page is accessible to all logged-in internal users. Without any restrictions logged-in users can potentially make unauthorized changes.
    Access controls on Tables Checks for tables without ACLs Tables should be secured with ACLs. Access to data stored in tables should be limited only to users that need it.
    User Account shouldn’t have both Internal and External roles Checks for user records with both Internal and External roles assigned Internal user roles are intended for users within your company. External user roles are intended for external personnel, such as customers and partners.
    Publicly accessible knowledge base and articles Checks for publicly accessible knowledge bases and knowledge base articles Publicly accessible knowledge bases and articles are visible to all users in the instance. Increase security by limiting knowledge bases and articles to the specific audience that needs them.