Password (2 Way Encrypted) design considerations

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Password (2 Way Encrypted) design considerations

    This document outlines how to store and manage password data that is encrypted two ways (encryptable and decryptable) within ServiceNow's Workflow Studio and Flow Designer. It explains key configuration options, usage guidelines, and security considerations to ensure passwords are handled properly within flows and actions.

    Show full answer Show less

    Basic Configuration Options

    • Label: User-friendly text to identify the password variable in Workflow Studio.
    • Name: System-generated alphanumeric identifier, derived from the label, used in scripts.
    • Type: Indicates the kind of data stored (password in this case).
    • Mandatory: Specifies if the password variable must have a value when used in an action.

    Advanced Configuration Options

    • Hint: Provides guidance for flow or action designers on how to set the password variable.
    • Default value: Defines a fallback password value if a designer does not specify one.

    Key Usage Guidelines

    • Password (2 Way Encrypted) variables can only be assigned values using existing password2 data pills; manual entry is not allowed.
    • Only specific field types accept password2 data pills, including email body fields, HTML fields, password fields, PowerShell input variables, REST and SOAP message components.
    • Password2 variables cannot be used as condition inputs within flows or actions.
    • Workflow Studio enforces these restrictions by showing warnings and blocking execution if invalid data pill assignments occur.

    Security and Decryption Controls

    • Only users with access to the encryption module can decrypt and view password2 variable contents.
    • Encryption algorithms and role-based access controls are managed via the Password2 encryption framework with Key Management Framework (KMF).

    Store encrypted password data that can be decrypted.

    Basic options

    Option Description
    Label Displays the label used to identify the data variable in the Workflow Studio interface. The label can consist of any text.
    Name Displays the name used to identify the data variable in script calls. The name can only consist of alphanumeric and underscore characters. The system automatically converts the label into a valid name by removing or replacing any special characters.
    Type Indicates the type of data stored by the data variable.
    Mandatory Indicates whether the data variable must contain a value when configured in an action.

    Advanced options

    Option Description
    Hint Provides guidance to flow or action designers on how to configure the data.
    Default value Specifies the value used when a flow or action designer does not provide a value.

    General guidelines

    Follow these general guidelines when designing flows containing Password (2 Way Encrypted) data.
    Assign values using existing Password (2 Way Encrypted) data pills.
    You can only assign a value to a password2 variable by selecting an existing password2 data pill. Selecting values from other field types is not supported. Workflow Studio presents a warning message when invalid data pill types are selected.

    The warning message displayed when dragging a non-password2 data pill onto a password2 field.

    Note:
    You cannot manually enter Password (2 Way Encrypted) values.
    Use Password (2 Way Encrypted) variables only for valid field types
    Workflow Studio prevents selecting Password2 data pills as the value for invalid field types. The system presents a warning message when the field is an incompatible type.

    The warning shown when dragging a password2 field to a disallowed field.

    Workflow Studio only allows Password2 data pills to be dragged into the following field types.
    • Email body fields
    • HTML fields
    • Password 2 Fields
    • PowerShell Input Variables
    • REST fields
      • Variables
      • REST payload body
      • Query parameters
      • Headers
      • REST multi-part form values
      • Form URL-encoded values
    • SOAP fields
      • Headers
      • Envelope
    Note:
    you cannot use Password (2 Way Encrypted) variables as conditions

    Flow Designer performs a validation check when a user saves, publishes, or tests actions and flows. This check shows that an alert for any data pills dropped in restricted field types and prevents the action or flow from executing. Update the action or flow to remove the invalid data pill and then retry the action.

    Set up encryption modules for decryption
    Only users with a valid encryption module access can decrypt and view the contents of password2 variables. To specify the encryption algorithm and which roles can access encrypted data, see Password2 encryption with KMF .