Help
Join the Community
-
Documentation
Find detailed info about ServiceNow products, apps, features, and releases.
-
Impact
Drive a faster ROI and amplify your expertise with ServiceNow Impact.
-
Partner
Grow your business with promotions, news, and marketing tools for partners.
-
Store
Download certified apps and integrations that complement ServiceNow.
I recommend bookmarking this article so that you are automatically notified by email when changes are made by me.
If you miss any content, please leave it as a comment and I will add it to this article.
If you miss any content, please leave it as a comment and I will add it to this article.
| Table of Contents |
My library Knowledge Sources To Go is very popular, but it was intended mainly as a thematically grouped guide to standard sources and was provided by me as a PDF file. For certain topics, however, there is so much content that I can no longer include it in that document, as it cannot continue to grow forever.
For this reason, I have decided to handle such topics in individual community articles like this one instead.
Overview
"Trust is foundational to everything we do at ServiceNow. With our highly secure, agile, cloud infrastructure, ServiceNow provides robust protection to our customers at every moment of their journey. Our continuous monitoring brings peace of mind so customers can focus on what they do best."
Bill McDermott
Chief Executive Officer, ServiceNow
ServiceNow provides a cloud-based platform and solutions that deliver digital experiences and help people do their best work. Having a single product, platform, and support infrastructure means that ServiceNow can employ extensive security without the need to balance security over a highly diverse estate. ServiceNow customers gain the benefits of a common, highly standardized cloud infrastructure, while realizing the security benefits of customer‑specific isolation at the application and data layers. In addition to the security features that come as standard within the platform, customers can leverage additional security capabilities within their ServiceNow instance(s).
Entry point to the official product documentation.
"Our team of security experts makes your data protection the top priority. Because the stronger the trust, the stronger the relationship."
ServiceNow Security Advisories (đź”’)
The ServiceNow Security Advisories are provided to enable customers to self-serve relevant content about ServiceNow’s security posture as it relates to various security items. These advisories are limited to the scope of the Now Platform and the supporting ServiceNow cloud environments. Please be advised the contents of these security advisories are classified as Confidential. Access is restricted to authenticated HI users, and information cannot be shared outside of your organization.
This document gives guidance on some of the main areas which should be considered, links to comprehensive resources, and best practice recommendations for each topic. You can ensure your instance has a good security foundation by understanding and acting on the recommendations in this guide.
Securing the Now Platform - An overview of the ServiceNow security program
This document describes ServiceNow’s security program across a number of key physical, administrative, and logical security domains. These include architecture, information lifecycle, physical security, security operations, disaster recovery/business continuity, privacy, compliance, and software development.
Cloud Security Frequently Asked Questions
ServiceNow’s security team has compiled a list of frequently asked questions about our cloud security processes and the physical, administrative, and logical controls we have in place.
Enable Zero Trust with ServiceNow
Get to know what ServiceNow applications can be leveraged for Zero Trust. Understand how they align with the CISA Zero Trust maturity model. Know what you need to enable to enhance your Zero Trust posture.
This document provides an in-depth look at the security capabilities of ServiceNow mobile apps. Take a look at the offerings ServiceNow provides to ensure customers across industries can securely deploy mobile to their users.
Data Access Controls - A look at ServiceNow’s access to customer data
This document gives an overview of the controls and features that ServiceNow has implemented to ensure that customers (as data controllers) control how ServiceNow uses their data. It also explains how we structure customer data processing when it comes to access, infrastructural integrity, and customer control.
Safeguarding Your Data - An overview of data security
This document discusses different types of data, how it is handled, and the responsibilities of the data controller (ServiceNow customers) and data processor (ServiceNow). It also gives an overview of what controls ServiceNow provides to assist customers in keeping their data safe.
Complying with the General Data Protection Regulation (GDPR)
ServiceNow Governance, Risk, and Compliance is an ideal solution to address the GDPR. It can identify the applications that touch personal data and provide a means to gather evidence; tracking compliance of those applications across functional groups.
Success Pack "Establish the Platform Foundation & Security"
This success pack supports the desing and setup of a solid foundation of the Now Platform upon which all digital workflows run.
Trainings & Courses
Encryption and Keys: Introduction
This module provides the information needed to understand encryption and explore various keys used in different ServiceNow encryption solutions. You will also be participating in an intriguing game, tasked with solving a puzzle using an ancient encryption technique!
Key Management Framework: Introduction
This course provides an introduction to Key Management Framework (KMF). You will explore the different KMF roles used in encryption and understand the KMF lifecycle states and actions. You will also be participating in an intriguing game, tasked with solving a puzzle using an ancient encryption technique.
Code Signing and Circle of Trust: Introduction
Explore Code Signing application and understand how establish trust between instances.
Secrets Management: Introduction
Explore Secrets Management application and understand how credentials are encrypted and decrypted.
Articles & Blog Posts
by ServiceNow Support
ServiceNow Secure Coding guide for Instance developers (KB0623354 đź”’)
This article provides an overview of application security-related GlideScriptable classes and methods offered by ServiceNow, to assist and educate developers while creating and modifying the code on the target Instance.
by ServiceNow Support
Outbound SSL and TLS connectivity from ServiceNow Instance (KB0722835)
The SSL and TLS protocols provide communications security over the internet, and allow client/server applications to communicate in a way that is confidential and reliable. The protocols have two layers: a Record Protocol and a Handshake Protocol, and these are layered above a transport protocol such as TCP/IP. They both use asymmetric and symmetric cryptography techniques.
by ServiceNow Support
How to Investigate User Account Activity (KB0564981)
At any time there is a need to review specific user behavior, below are the recommended steps on how to review the transaction logs and event logs.
2020-09-21, by @ashok-sn
Security Top Tips
The Security Top Tips blog series provides practical security advice and describes the tools available in the Now Platform to help you keep your data safe.
2023-03-14 by Abdul Rahman
10 ServiceNow Security Features - Easy to implement & manage
Here are the 10 ServiceNow Security Features, most of them are free & some are paid, which can installed by an Admin today to secure their ServiceNow Instance.
Videos & Podcasts
2022-10-26, by ServiceNow Community
Introduction to ServiceNow Vault
ServiceNow Vault – ​ Increasing Trust and Compliance ​with the Now Platform​.
2023-02-03 by Chuck Tomasi
ServiceNow Security 101 with Jarod Mundt
For many people, security on their ServiceNow instance ends with ACLs – maybe encryption if they have the need, but there's more – oh, so much more. Joining me in this episode is someone to shed some light on the full spectrum of ServiceNow security capabilities as of 2023.
2023-07-26, by ServiceNow Community
What you need to know secure your instances
Security is top of mind with everyone. We’ve created this introduction on how to secure your ServiceNow Instances to help you build the right security framework. Attend and you will learn from some of our security experts and have the opportunity to interact with them!
Data Privacy
Use Data Privacy to classify sensitive data and to remove personally identifiable information (PII) from user data in a production instance and anonymize data in non-production instances. Once anonymized, the user data is no longer considered regulated private information.
Developers must work with data on non-production instances to ensure that their implementations are working as expected. While importing data from your production instance is a useful way to simulate production, it presents a security risk. Administrators can use data privacy to provide developers with data that does not contain private information to work safely in a non-production environment.
Entry point to the official product documentation
Summarized overview in one PDF file.
Complying with the General Data Protection Regulation (GDPR)
GDPR is a set of regulations by which the European Commission intends to strengthen and unify data protection for individuals within the European Union. The ServiceNow Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross mapped to external regulations and best practices.
How data anonymization can strengthen data privacy
Outlines the baseline process explaining the configurable options with the objective of determining the to-be process and corresponding configuration requirements for ServiceNow Vault - Data Anonymization
Trainings & Courses
Data Anonymization: Introduction
Introduction to data anonymization and privacy.
Articles & Blog Posts
2023-06-21 by @AttilaVarga
Data privacy / anonymization in practice
This article introduces a solution to the problem of anonymizing data in sub-prod instances, with the help of out-of-the-box ServiceNow features.
Videos & Podcasts
2023-01-04 by Secretary of Simplification
Securing Fields Part 6 - Data Anonymization
Data anonymization (data privacy) is a new feature in the Tokyo release of ServiceNow. It is intended for sensitive and personal information cloned from PROD to a non-PROD instance. This video provides an overview only and demonstrates how to set it up.
2023-05-09 by ServiceNow Support
Explains how to classify data using the Data Privacy store application.
2023-05-09 by ServiceNow Support
Explains how to anonymize data using the Data Privacy store application.
2023-08-05 by ServiceNow Universe
New feature in ServiceNow Vancouver | Data discovery | Data classification
Data Discovery discovers the PII stored in the ServiceNow instance.
Data Classification classifies the data in different predefined classed.
2023-12-30 by ServiceNow Community
ServiceNow Platform Privacy Demonstration
In this video, we will focus on Privacy, and see how ServiceNow helps organizations find, classify, and anonymize sensitive data.
2024-04-24 by ServiceNow Community
Platform Sensitive Data Discovery and ​Real Time Data Anonymization
What's New in Washington Release for detecting and protecting sensitive employee and customer data.​
Security Center
ServiceNow Security Center is an application that consists of a set of purpose-built tools designed to help organizations maintain the security of their ServiceNow deployments. Using Security Center, organizations can improve their security posture, strengthen their compliance levels, and do so with a seamless user experience.
Entry point to the official product documentation.
Trainings & Courses
By the end of this module, you will be able to:
- Understand what The ServiceNow Security Center is and what is it composed of
- Learn how to access it
- Explore the the features of ServiceNow Security Center
- Learn how to create a scan check, thresholds, and notifications
- Understand different configurations and attributes of the ServiceNow Security Center hardening settings
Videos & Podcasts
2023-05-10 by ServiceNow Community
Access Analyzer
ServiceNow Access Analyzer is an application that helps the administrators and developers to view permissions for the selected user, role, or group. Using Access Analyzer, organizations can improve their security posture, identity governance, risk management, strengthen their compliance levels, and understand who (identity) has access to what (resources).
Entry point to the official product documentation.
Summarized overview in one PDF file.
Articles & Blog Posts
2023-12-04 by @Daniel Garcia M
Using the brand new "Access Analyzer"
Have you ever wondered how could you get a summary of the access a given user/group/role has on your instance resources? You may be thinking the "Debug Security" option but that's way too granular and it doesn't allow to test certain elements. Because of this, ServiceNow have released an application called "Access Analyzer" we will be having a look at here.
Videos & Podcasts
2023-08-07 by ServiceNow Universe
Access Analyzer | New plugin in ServiceNow Vancouver release
2023-08-11 by ServiceNow Dev Program
In this session we will be going deep dive into Access Analyzer in Vancouver.
2023-08-23 by TechnoMonk
ServiceNow Access Analyzer: Ultimate Guide to Boosting Security & Compliance
Dive deep into the functionalities of Access Analyzer, from analyzing permissions of users, groups, and roles to understanding critical security hygiene. Don't miss out on understanding how Access Analyzer can revolutionize your identity governance and risk management strategies. Join us as we explore the myriad benefits and features of this powerful ServiceNow application.
2023-09-12 by SAASWITHSERVICENOW
Access Analyzer in ServiceNow | A Vancouver Feature
Today, we're diving deep into a feature of ServiceNow introduced in the Vancouver release that every ServiceNow administrator and developer should know about: The Access Analyzer. Discover how you can seamlessly analyze and view the permissions of any user, group, or role across tables, client callable script includes, UI pages, and REST endpoints.
2024-04-18 by Hardit Singh
Everything about Access Analyzer in ServiceNow
This video dives deep into ServiceNow's Access Analyzer, a powerful tool for administrators and developers. We'll walk you through real-world demos to see Access Analyzer in action. Plus, we'll unpack two exciting new features from the Washington release.
Access Control Lists (ACL)
An instance uses access control list rules, also called access control rules, to control what data users can access and how they can access it. ACL rules require users to pass a set of requirements in order to gain access to particular data.
Entry point to the official product documentation.
Trainings & Courses
Securing Applications Against Unauthorized Users
In this module, you will secure the NeedIt application against access by unauthorized users: application, modules, access control, and scripts. You will test and debug the security you implement.
Introduction to Access Controls
In this self-paced course, learners are guided through the creation of access controls to secure applications by restricting user access.
Articles & Blog Posts
by ServiceNow Support
How to determine if a user has permissions to create, read, and write on an extended table (KB0523743)
ServiceNow uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules allow users to update records using API protocols such as web services. If a user does not have the necessary permissions to create, read, or write on an extended table, this can pevent the New or Edit buttons from appearing on a related list or unexpected results.
by ServiceNow Support
ACL on Database Views (KB0535471 đź”’)
It is important to understand that table level ACL is not applicable on database views. Assuming that the underlying table ACL will be applicable to Views is not correct. To safeguard the underlying table information as exposed through a View, a user needs to create an ACL on views.
by ServiceNow Support
Demystifying Access Controls (KB0541355)
Access controls can seem very intimidating when you are trying to configure your instance security rules. This article is intended to help understand and eventually mastering the ACLs usage.
by ServiceNow Support
Scripts - understanding when ACLs are evaluated (KB0677278)
When discussing Business Rules, UI Scripts, Script Includes, Background-Scripts, UI Actions, Client Scripts, and the ACL evaluation that occurs at runtime, here are three facts that you need to know right from the start: [...] A lack of understanding regarding these three facts can be a common source of frustration when investigating issues related to client-side and server-side JavaScript.
by ServiceNow Support
Customization Considerations for Access Controls (KB0749174 đź”’)
When you want to make changes to access controls (ACLs) there are some things to be aware of. This article discusses those considerations and how best to approach them.
by ServiceNow Support
How the ACL Admin Overrides option works (KB0685046)
When creating or modifying an ACL, one of the fields available is called Admin Overrides. This field sometimes can cause confusion because unchecking it and adding a role is not enough to prevent Admin users from accessing specific data..
by ServiceNow Support
Relationship between Business Rules and Access Control Rules (KB0656366)
Business rules are database triggers that apply consistently to records regardless of whether they are accessed through forms, lists, or web services. This is the major difference between business rules and client scripts, which apply only at client side when the form is edited.
by ServiceNow Support
ACL on Database Views (KB0535471 đź”’)
It is important to understand that table level ACL is not applicable on database views. Assuming that the underlying table ACL will be applicable to Views is not correct. To safeguard the underlying table information as exposed through a View, a user needs to create an ACL on views.
by ServiceNow Support
The Read-Only role and how to use it (KB0656366)
The Now Platform includes the capability to easily configure a specific user or group to access certain tables, but only in a read-only format. This is done through the special "snc_read_only" role.
by ServiceNow Support
Enabling Report View ACLs (KB0958442 đź”’)
ServiceNow has introduced Report View ACLs (RVA) as an additional layer of control on tables. Report View ACLs limit which users can view sensitive data when reports are created.
2015-01-14, by John.garrisi
Evaluating Row level and Field level ACLs
I often hear "I have given the ITIL role this access, why does it not work?" When we run the Debug Security it tells us "yes" or "no" on access rights. However, understandings the grey areas may prevent some issue from cropping up or help solve issues when they occur while evaluating row level and field level Access Control Lists (ACLs).
2021-12-06, by @chuckn
We were recently notified by ServiceNow that a batch of report view ACLs would be activated in our production instance if we did not activate them ourselves (see KB0958442). They provided a great analysis tool in the ACL Assessment for Reports. When that analysis came back saying we have hundreds of reports to review, we wanted a faster way to generate the list of all the potentially affected users instead of going through each report individually. If you're looking for something similar, this code should do it for you.
2022-11-17, by Martin Ivanov
Privacy on client-callable script includes (instance security hardening) explained
ServiceNow has introduced a mechanism to protect Client callable script includes.
2023-02-15 by @Grant Hulbert
How to lock down a ServiceNow app *very* securely
The CEO of your company asks you to write a ServiceNow app. Then your CEO drops the bombshell: she wants the app to be so secure that not even ServiceNow admins are able to inspect your app’s tables. What’s the solution? We’re going to borrow a technique called “Application Administration” that the developers of ServiceNow’s HR Service Management app used to solve very similar requirements.
2023-02-15 by @Willem
Vancouver: Security Attribute Conditions Explained
In the Vancouver release there is a new “Security Attribute Condition” added to the conditions of ACLs
Videos & Podcasts
2019-01-28, by Göran Lundqvist
Limit access to Attachments through ACL in ServiceNow
Question from community how to limit access to attachments. Requirements are that a end user shouldn't see attachments that has been uploaded by a user that has a role.
2019-05-12, by Robert Fedoruk
Learn how to solve difficult ACL issues in 5 minutes
My two-browser method to troubleshoot common ServiceNow ACL issues.
2020-06-28, by SAASWITHSERVICENOW
System Administration Training | Access Control List | ACL
This training will cover everything you need to know in order to get started with administering a ServiceNow instance. You will learn how ServiceNow works and how to properly configure and customize the platform.
2021-10-22, by ServiceNow Dev Program
On this episode, join Brad, Chuck, and guest Pre**bleep** Doshi as they dive into ACL debugging.
2022-07-13, by ServiceNow Community
ACL Assessment for Reports
In this Platform Analytics Academy session we looked at how we can use ACL Assessment for Reports to identify reports that are blocked by ACLs. The application identifies both the users and the reports. If this is something that you have interest in, you will want to check out this session.
2022-08-22, by Allenovation
ServiceNow Best Practices for ACLs
II’ve uncovered several leading practices regarding ACLs, and I’d like to share these Nuggets of Knowledge with you, in hopes that it’ll help you on your ServiceNow journey.
2022-10-21, by Secretary of Simplification
ServiceNow – Security Sojourns – ACLs I
Q. What is the first thing you need to do when implementing a ACL story in ServiceNow?
A. Make an assessment of what ACLs you currently have in the instance.
Without this knowledge, you will not know whether you need to create an ACL or modify an existing one. This video takes you through this using two simple stories.
2022-11-11, by Secretary of Simplification
ServiceNow – Security Sojourns – ACLs II
Part 2 in a series on Access Control List rules in ServiceNow. In this video, we look at another requirement to implement and examine the difference between .None, .* and .field ACL rules.
2022-12-12, by ServiceNow Community
Securing Records in ServiceNow
In this session, you'll learn how to best secure records in ServiceNow. We'll cover best practices and guidance around Access Control Lists (ACL), Data Filtration, and other options to secure your data. Product Success Managers Paige Duffey and Jarod Mundt will answer your questions.
Data Filtration
Data filtration is a separate form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filtration denies access to tables and records that do not match subject attributes defined by an administrator. Data filtration is designed to make auditing, reporting, and troubleshooting easier.
Entry point to the official product documentation.
Articles & Blog Posts
2023-11-20 by @Daniel Garcia M
Understanding the "Data Filtration" plugin
Today I will be talking about the "Data Filtration" plugin (com.glide.data_filtration), which allows to define an extra layer of security an organisation can add on top of ACLs to prevent users seeing records they shouldn't. This plugin has a dependency on another plugin I already talked about, Adaptive Authentication given it uses the filter criteria records from that plugin to define who can read data from a given table.
2024-03-12 by Lasse Kjelstrup-Hoop
Navigating the World of Data with ServiceNow Data Filtration
In the digital age, where data zips around like caffeinated squirrels, keeping sensitive information under wraps while ensuring the cool kids (aka the right people) can still get their hands on what they need, is pretty much the IT equivalent of herding cats. Enter Data Filtration by ServiceNow – your digital shepherd, guiding you through the wilderness of data access with ease and a sprinkle of security magic.
Videos & Podcasts
2022-08-14 by ServiceNow Mavericks
ServiceNow #Tokyo_Talks Data Filtration
We will explore data filtration feature of servicenow tokyo release
2022-08-16 by ServiceNow Dev Program
Creator Toolbox: Data Filtration
Data Filtration adds a new level of configurability to traditional access control lists (ACLs.) Watch and learn as our guest Scott Kaufmann guides us through what data filtration is and how it works with ACLs.
2022-08-25 by cask
Inside the Barrel - ServiceNow Data Filtration
Welcome to the Inside the Barrel Podcast! Follow along as Dorian and Jon as we play around with Data Filtration on ServiceNow's platform.
Encryption
ServiceNow provides robust data security and privacy capabilities to protect its customers data. However, in today’s environment there is no single encryption solution to address all data protection needs. Therefore, in order to meet the data security requirements of modern enterprises, ServiceNow provides customers with a suite of encryption options. These can be used individually or in conjunction with each other to address a variety of data confidentiality use cases.
Product Information
Entry point to the official product information.
Entry point to the official product documentation.
Encryption technologies for data protection on the Now Platform
This document explains the encryption solutions and provides the information you need to choose the correct one.
A Prescriptive Guide to Selecting Data Encryption Solutions for the Now Platform
This guide is for anyone needing to make a decision on the appropriate data encryption solution(s) for the data that they store and use on the Now Platform. While it does help to have an information security background, it is by no means a prerequisite for using this guide. On the contrary, this guide will arm you and your stakeholders with the questions to make well-informed decisions when identifying potential data encryption solutions for the Now Platform
Trainings & Courses
Encryption in ServiceNow Core Skills
Gain an understanding of the core features used by different ServiceNow encryption solutions.
Cloud Encryption: Introduction
This course provides the information needed to understand Cloud Encryption and to explore how it works, as well as understand the process of rotating and switching keys.
Column Level Encryption: Initial Setup
Get an introduction to CLE Starter and learn how to setup, configure, and utilize CLE to encrypt and decrypt sensitive data.
Column Level Encryption Enterprise:
- Initial SetupLearn how to configure, and utilize Column Level Encryption Enterprise to encrypt and decrypt sensitive data.
- Administration
Learn how to perform maintenance including key lifecycle management, audit support, and using the Resource Exchange feature to transfer keys across instances. - Limitations and Considerations
Review the limitations and considerations of the CLE Enterprise functionality and explore links to additional resources for further learning.
Edge Encryption:
- Initial SetupLearn how to install and configure the Edge Encryption proxy server. You will also learn the concept of the encryption keys that are needed for a successful installation.
- Administration
Take a deeper dice into the different encryption methodologies and how they can be applied to your organization to meet your security needs. You’ll learn how encryption patterns allow you to specify string patterns to be replaced by tokens before being sent to and stored in the instance. You will also learn how to configure your Edge Encryption proxy server to allow inserts from a record producer by creating encryption rules. - Limitations and Considerations
Get an overview of Edge Encryption limitations, as well as things to consider during the implementation.
Articles & Blog Posts
2021-10-22, by r0b0_d3vil
Column Level Encryption in ServiceNow
2023-02-07 by Attila Varga
Column Level Encryption - filtering and searching encrypted fields
Customers are interested in how sensitive data can be managed and what are the provided solutions by ServiceNow. There are several possibilities offered by ServiceNow, but let's narrow down the topic a bit and focus on a specific detail (peculiarity), which is Data encryption. Nowadays it is a common and real expectation that a system must be able to encrypt and decrypt data. We can demonstrate this capability to the customers, but sometimes it is not sufficient for them. They are interested in the details, special possibilities or even limitations. This article is about to introduce a special limitation of the Column Level Encryption (CLE) module of ServiceNow.
2023-10-24 by @Daniel Garcia M
Encrypting attachments using "Column Level Encryption"
In this article we will talk about how to encrypt attachments using the free version, although in the CLEE it can be configured the same way but it would allow to perform more actions.
Videos & Podcasts
2021-09-02, by ServiceNow Community
TechNow Ep 89 | Navigating Encryption Options
When it comes to security and encryption on the Now Platform, you've got plenty of options. But navigating these options can be tricky. Fortunately, ServiceNow is here to help. Join the webinar, and together we'll explore the various options for encrypting your data and determine which one is right for your organization's unique situation.
Troubleshooting
Alternative Encryption Products to GlideEncrypter đź”’ (KB1320986)
