Configure Service Portal Widgets Allow List
Learn how to configure the glide.service_portal.widget.allow_list property securely so that the access control lists (ACLs) for the tables do not expose sensitive information.
The glide.service_portal.widget.allow_list system property determines the list of widgets that are allowed to attempt to access any table on the instance. ACLs for those tables will still be enforced. If there are misconfigured empty ACLs on tables on the instance, widgets in this list may allow access to those tables, leading to information disclosure. This property is only enforced if the widget makes use of SNCACLWidgetUtil, and the property glide.service_portal.widget.enforce_public_check is set to 'true.
Ensure that the glide.service_portal.widget.allow_list system property has an empty value empty or does not exist.
More information
| Attribute | Description |
|---|---|
| Configuration name | glide.service_portal.widget.allow_list |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | String |
| Recommended value | <empty> |
| Default value | <none> |
| Fallback value | <empty> |
| Category | Access control |
| Security risk |
|
| Dependencies and prerequisites | For the glide.service_portal.widget.allow_list setting to be applicable, the glide.service_portal.widget.enforce_public_check property must be set to true. |
| Functional impact | This property enables customers to access any table information if the widget is set to public and is included in the property's value. |