Securing .list And .do Pages Via ACLs

Within ServiceNow, anyone can go to any table by manipulating the URL or via the navigation menu.

I.E, if you want to go to the incident table, even if you haven’t access to the incident module, you can just:

  1. go directly via the url: https://sn-instance.com/incident_list.do or https://sn-instance.com/incident.do
  2. in the navigation menu search bar, type incident.list or incident.do

Having ACLs in place makes sure that the actions that you don’t want to happen don’t happen (create, write, read, delete). However, what if you just want to stop navigating to that URL in the first place?

You can stop users getting to the page via the navigation menu by editing the ‘NavFilterExtension’ UI Script (it has very good comments in there and easy to edit to do what you want).

I accidentally stumbled across a neater solution, again using ACLs.
Let’s work through an example on how to block the incident page.
Create a new ACL with the following values:

  • Type: UI Page
  • Operation: Read
  • Name: Incident
  • Admin overrides: False
  • Script: false;

And that’s it! This ACL will block everyone from accessing the incident.do page (obviously your security will be more specific to your use case of who you’re trying to block).

If you want to block people access the incident.list page, then in the Name field on the ACL, just put incident_list. And finally, if you want to hide the search page, just put the name as incident_search.

Now there’s no way to access these pages via the URL or the navigation menu.

By the way, this doesn’t negate the need for ACLs on the list. You still want to prevent people doing client side GlideRecords on particular records.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s