Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

    Theglide.script.secure.ajaxgliderecordsystem property enforces Access Control List (ACL) validation for server-side records accessed through GlideAjax APIs in client scripts. This ensures that any data queried via AJAXGlideRecord respects the current user's permissions, preventing unauthorized data exposure.

    Show full answer Show less

    Without this ACL enforcement, client scripts can potentially retrieve sensitive information that the user is not authorized to access. This property is a safe harbor setting, meaning once enabled, it cannot be reverted.

    Key Features

    • Validates ACLs on server-side data accessed through client-side GlideAjax API calls, such as GlideAjax and AJAXGlideRecord.
    • Prevents users without proper rights from querying restricted tables (e.g., ESS users blocked from reading the cmnlocation table).
    • Supports enhanced security by encouraging the use of GlideRecordSecure, which enforces stricter ACL checks compared to GlideRecord.
    • Integrated with other security-related system properties that govern client script execution sandboxing and AJAX evaluation.

    Practical Impact for ServiceNow Customers

    • Enabling this property (default and recommended value: true) ensures your applications enforce data access restrictions consistently, reducing security risks.
    • Improper ACL configurations can cause functional issues, such as legitimate data queries failing, so ACLs must be accurately defined for script includes, processors, and other server-side components used by GlideAjax.
    • Administrators should implement authorization checks in server-side code using methods like canRead(), canWrite(), canCreate(), and canDelete() to complement ACL enforcement.
    • Using GlideRecordSecure in server-side scripts offers better out-of-the-box security for sensitive data operations.

    Security Considerations

    This property addresses a high-risk security vulnerability where client scripts might access unauthorized data. By strictly validating ACLs on AJAXGlideRecord calls, you protect sensitive information and maintain compliance with security best practices.

    Next Steps for Customers

    • Verify and refine ACL configurations on tables and script includes accessed via GlideAjax to ensure proper access levels.
    • Consider updating server-side scripts to use GlideRecordSecure where applicable.
    • Review related properties like glide.script.use.sandbox and glide.script.allow.ajaxevaluate to strengthen client script security posture.
    • Consult the HI Knowledge Base article on auditing client-side GlideRecord transactions for detailed impact analysis and guidance.

    Use the glide.script.secure.ajaxgliderecord property to perform access control rule (ACL) validation when server-side records, such as tables, are accessed using GlideAjax APIs within a client script.

    From client scripts, it is possible to query arbitrary data from the server using the AJAXGlideRecord (GlideAjax - Client) API, by using a syntax such as a server-side glide record. It is a powerful and useful tool in many deployments.

    If you choose to apply Access Control Lists (ACL) to GlideAjax API calls, you can only query data to which the currently connected user has access. For example, if an ESS user who has no rights to read the cmn_location table is logged in, any GlideAjax API call to that table would fail.

    If the ServiceNow AI Platform is running without GlideAjax ACL call checking, an API can return information that the currently logged in user could not otherwise access.

    Use GlideRecordSecure when querying data to ensure the highest level of security. GlideRecord relies on ACL enforcement through configurations whereas GlideRecordSecure applies stricter security controls. GlideRecordSecure offers a more secure, out-of-the-box solution for handling sensitive data.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.script.secure.ajaxgliderecord
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Purpose Ensure security ACLs are checked and validated even when the records are accessed through Client Side APIs.
    Recommended value true
    Default value true
    Security risk rating 8.1
    Functional impact This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact. For more details on its impact, and how to identify it, see Refer to the Audit and review client-side GlideRecord (AJAXGlideRecord) transactions [KB0550828] article in the HI Knowledge Base .
    Security risk (High) Through client scripts, it is possible to query arbitrary data from the server through the GlideAjax API. Server-side resources can be accessed without proper authorization, so using ACL validation helps the application validate the request based on the configured authorization.
    Workaround

    Ensure that proper ACLs are created for script includes, processors, and other entities used by a GlideAjax (AJAXGlideRecord) API so that it executes under proper authorization.

    Implement methods like canRead (), canWrite(), canCreate (), and canDelete () to perform user authorization before accessing table records using GlideRecord.

    Another method is to use GlideRecordSecure. The class is inherited from the GlideRecord Server that performs the same functions as GlideRecord, and also enforces ACLs.
    References Apply ACLs to AJAXGlideRecord (client-side Glide record)
    This property belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.