Explore Zero Trust Access

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore Zero Trust Access

    Zero Trust Access (ZTA) is a security model that operates on the principle of not trusting any user or device by default. Access to applications and data is granted strictly on a least privilege basis, requiring user identity verification and risk assessment before access is allowed.

    Show full answer Show less

    Key Features

    • Policy Based Session Access: This feature allows organizations to dynamically adjust user privileges during a web session based on factors such as IP address, location, authentication method, user role, and attributes from the Identity Provider (IDP).
    • Role Elevation: Only users with the securityadmin role can configure Session Access settings, which do not support integrations.
    • Session Behavior: Changes in user location or risk parameters during a session do not automatically alter access privileges; users must log out and back in for changes to take effect.
    • Mobile Support: The Session Access policy can be applied to mobile sessions, allowing for privilege reduction based on session conditions and IDP attributes.

    Key Outcomes

    Implementing Zero Trust Access helps organizations mitigate unauthorized access and potential data breaches, especially when users log in from untrusted devices or locations. By utilizing adaptive authentication policies, security admins can ensure that users have only the necessary access for their session, thereby enhancing overall security posture.

    Zero Trust Access (ZTA) is a security model that assumes that no user or device is trusted by default.

    ZTA ensures that all access to applications and data is granted on a least privilege basis, only after the user's identity verification and risk assessment.

    Zero Trust - Policy Based Session Access

    ServiceNow Zero Trust - Policy Based Session Access (Session Access) enables organizations to dynamically reduce user privilege in a web session based on a variety of factors, including IP address, location, authentication method, user’s role, group, user having MFA and attributes shared by the Identity Provider (IDP). This can help protect organizations from unauthorized access and data breaches, even when high-privileged users access applications from untrusted devices or locations.

    It enables the security admins to reduce or limit user access in a session based on IP address, location, Identity Provider attributes, and user attributes using adaptive authentication policies.

    Zero Trust Access and Adaptive Authentication
    Note:
    • Session Access configurations can only be performed with security_admin role. You must elevate your role to security_admin.
    • Session Access doesn’t support integrations.
    • Session Access has no impact if the reduced or limited role isn’t assigned to a user. In this case, there are no changes to the logged in session. The user continues to access the instance with the assigned privileges.
    • Session Access has no impact while the user is already logged in to the instance and simultaneously the admin configures the policy. The user has to log out from the session for the policy to be effective.
    • Session Access has no impact when the user is in a trusted network and later switches to a VPN (change in location or network) within a session.
    • Session Access is enforced at the time of login. Any change in risk parameters during the session won’t result in reduced access. For example, a user switching from the corporate network to an untrusted network after establishing the session won’t result in reduced access unless the user logs out and logs in again.
    • Session Access (Zero trust access - ZTA) feature, roles like snc_internal and snc_external cannot be removed.
    • Session Access (Zero trust access - ZTA) feature does not remove a role from the sys_user_has_role or the user group membership table. Based on the ZTA policy, it establishes the user session with reduced or limited roles.
    • The scripts running in the system context will not honor the ZTA session roles.

    Use case

    Following are some of the use cases of Zero Trust Access:

    • Reduce privileges based on the risk associated with the session. For example, a fulfiller role user logging from outside the trusted network can be configured to have only the requester role for the session.
    • Reduce access based on IDP response for a user session, if the user is using an untrusted device. For more information, see Configure Identity Provider attribute for Session Access.

    This role relegation ensures that the user doesn’t have any other existing privileges in a session. When the user is logging in from a trusted network, all the existing privileges are assigned for a session.

    Multiple IP conditions and multiple role or group assignments can be defined as part of the policy.

    Zero Trust Access - Mobile

    You can use the Zero Trust Access - Session Access policy within the Adaptive Authentication policy to reduce the roles or privileges of the particular session in mobile.

    Zero Trust Access - Session Access mobile can be enabled by enabling the glide.authenticate.session_access.mobile.enabled from the system properties table.

    To use Zero Trust Access - Session Access mobile with the IDP attributes you can configure the glide.authenticate.session_access.mobile.refresh_token_interval field. This enables the administrators to effectively control the session access based on refresh token.

    For more information, see Configure Zero Trust Access for mobile.