Module 5 Flashcards
What 4 places can access be restricted in service now?
-Application menu
-Modules
-Records
-Fields
If a user has access to the ________ module, they can see all tables including those for which they cannot see records.
System definition> table module
Users can type ________ into the type filter text field in the application navigator to attempt to open the list of records for any table
<table_name>.list
</table_name>
<table_name>.list usually allows a user to open a list of records for that particular table but depending on the users permissions what 2 things can happen?
</table_name>
-The list may not display all the records (number of rows removed from this list by security restraints message)
-The list page is not rendered (security restraints prevent access to request page message)
How do you control access to application menus or modules?
Through roles
Users without an application menu’s role cannot see the menu in the application navigator, users with the role can see what?
The menu
Where do you set an application menus or a modules permissions?
In studio , edit roles
This role allows users without access to the application menu to access a module for which they are authorized
The override application menu roles
Access controls can only be created or edited in studio if the user has elevated to which role?
security_admin
If you have the elevated security_admin role but can’t edit or create access controls, what do you do?
Save any application file to update studio’s permissions
How many access control rules can be created automatically when adding tables to an application
Four
Access to records and fields is denied by default?
True
The wild card access control rule (.) for the create operation reuses the same permissions as which operation, unless you do what?
Write ; unless you define an explicit create operation ACL rule
Where do you go to see all access controls evaluated on for a record?
On a list select configure> security roles
Configure the application form or list’s security rules to edit the access controls that apply to the record and to avoid what?
Inadvertently editing non-applicable access controls
When access controls are created what is automatically populated?
The description field
This access control rule applies to a tables records; must have to view a table’s list or form.
table.none
This access control rule applies to every field on a record where there is no field specific ACL?
table.*
This access control rule applies to only one field on a record
table.field
What happens if access is denied to a row?
No field level rules can grant access
If access to a row is allowed but the field is denied what happens?
The field is not visible
If access to a row is allowed and access to a field is allowed, what happens?
The field is visible
A field specific ACL excludes all other roles from access to that field (t/f)
True
table.* ACL gives access to all fields for a table that don’t have a field-specific rule, and excludes users with all other roles (t/f)
True
To easily exclude fields, what ACL should you use?
Table.*
To easily include fields, do not use which ACL?
table.*
A user must pass both _______ and ______ ACL rules to access a record object
Table and field
Access control rules are usually processed how?
From most specific to most general
Record ACL rules are processed in what order?
- Match object against table ACL rules (specific to general)
- Match the object to field ACL rules (specific to general)
What happens if a user fails a table access control rule but the pass a field control rule?
The user is still denied access to all fields in the table
If a user passes a table ACL but fails a field ACL rule, what happens?
The user can access the table but not the field described by the field ACL rule
Are there system created access control rules?
Yes
If there is a matching access control rule, the system evaluates if the user has the permissions required to access what?
The object and operation (roles, conditions, script)
If an access control specifies more than one permission, what happens?
The user must meet all permissions to gain access to the object and operation
Failing on permission check means what?
The user is unable to access the matching object and operation
Does the first successful ACL evaluation stop ACL rule processing at the field level?
Yes
When a user passes a field ACL rule, what happens? (What does the system do?)
The system stops searching for other matching ACL rules
If a user does not meet the permissions of the first matching ACL rule, the system evaluates the permissions of the next matching ACL rule specified by the access control processing order. If the user fails to meet the permissions of any matching access control rule, what happens?
The system denies access to the requested object and operation
Access control fields are evaluated in the order shown on the access control form. What order is that?
- Requires role
- Condition
- Script
What do blank fields in access control equal?
True
What is a very useful GlideRecord method for access control scripting?
isNewRecord()
Useful Glidesystem user records for access controls?
hasRole()
getUserName
getUserID
What method should you avoid using during access control scripting because they can adversely impact performance?
gliderecord queries
What is available to help you troubleshoot and debug ACLs?
-Field level debugging
-Access ACL rule output messages
When ACL debugging is enabled, what appears beside each field with an ACL rule?
A small bug icon
When ACL debugging, what happens when you select the small bug icon beside a field?
The icon lists ACL rules that apply for the field and evaluation results
This lets you know what related ACLs exists when you modify one?
The ACL configuration watcher
Where do you navigate to enable ACL debugging?
System security> debugging> debug security rule
Debugging is show in order of evaluation. What is the order of evaluation?
Roles, condition, script
Debugging color coding. Green with a check mark or blue with a check mark equals?
Passed
Debugging color coding. Red equals?
Failed
Debugging color coding. Blue equals
Used previously/ cached
Debugging color coding. Grey equals
Skipped because of a access control higher in the hierarchy
It is better to control access through glideSystem methods that execute server side than client side scripting, why?
For better performance and security
Server-side scripting API glideSystem methods are?
-getUser()
-getUserDisplayName()
-getUserNameByUserID()
-userID()
-hasRole()
Server-side scripting API glideRecord methods
-canRead()
-canCreate()
-canWrite()
-canDelete()
How is application access set?
On a table by table basis
There is runtime application protection against what?
Access by scripts
Access through the web services api
Application access is applied in addition to what?
Access controls
The “allow access to this table via web services” option is only selectable if the accessible from option value is what?
“All application scopes”
Unauthorized script access is prevented at runtime but _____ cause run time errors. Script logic attempting unauthorized access is _______ and servicenow continues to run normally.
Does not; skipped
When application access is granted to all application scopes, what is the default configuration?
All read access only (to all other applications)
Does application access apply to scripts executed in the same scope?
No
Does application access (run time scripting) only apply to business rules?
No, applies to all server side script
The allow configuration checkbox on the application access tab permits other applications scopes to do what?
Create artifacts for an application
The allow configuration checkbox on the application access tab allows other applications scoped to create artifacts for an application. What are those 3 artifact examples?
-Dictionary entry
-UI action
-Client script
Business rules, access controls, and other metadata types can extend out of scope tables when this is selected on the application access tab
Can read
These records are used to track cross scope applications that request access to an application, application resource, or event
Restricted caller access
Application restricted caller access is activated by which plugin?
The scoped application restricted caller access plugin (com.glide.scope.access.restricted_caller)
With this restricted caller access option, cross scope calls to the resource are approved or denied based on the value of the accessible from field
None
With this restricted caller access option, calls to the resource must be manually approved. Access requests are tracked in the restricted caller access table with a status of requested
Caller restriction
With this restricted caller access option, calls to the resource are automatically approved. Calls are tracked in the restricted caller access table with a status of approved.
Caller tracking
What role is required to set access to an application?
Admin or application admin
Safeguard intellectual property by making artifact logic what? (2 things)
Read only or not visible
Protection policies only applies when applications are what?
Installed from the servicenow App Store
Protection policies do not prevent other developers on the application development instance from viewing or editing application artifacts (t/f)
True
What two things can (application) protection policies be applied to?
-ui actions
-script includes
Protection policies are not applied when applications are published and migrated to an instance using what?
An update set
What are the protection policy options?
-none
-read only (not editable)
-protected (not visible)
For the instance an application is developed on, should you use access controls or protection policies to restrict users ability to see and edit artifacts?
Access controls
