Module access policy visualization

Xanadu Platform security

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Module access policy visualization

Release version: Xanadu

Updated October 8, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Module Access Policy Visualization

Module access policy visualization provides a unified UI page for Key Management Framework (KMF) administrators and cryptographic managers to view comprehensive information about cryptographic modules and their access control policies. This tool helps determine who has access to encrypted data within your ServiceNow instance by displaying all relevant access control mechanisms for a selected cryptographic module.

Show full answer Show less

Users with the snkmf.admin or snkmf.cryptographicmanager roles can access this visualization by navigating to All > Key Management > Cryptographic Modules > All.

Key Features

Result Labels: The UI displays labels indicating access decisions such as Track or Allow (access granted), Reject (access denied unless a track policy exists), StrictReject (access denied), or N/A (policy absent, access denied).
Global Policies Section: Review and manage platform-level access policies including:
- Default Rule: Defines behavior when no existing rules match an access request.
- Platform Backend: Controls internal platform code access to cryptographic keys.
- Script Engine: Governs script engine access to keys.
- System User: Controls system user access to keys.
You can add or edit these policies directly from this section.
Granular Policies Section: Displays active module access policies categorized by type such as Role, Scope, Domain (if Domain Separation is enabled), Script Resource Exchange, and Identity (when Secrets Management Enterprise is active). Filters allow customization of displayed policies.
Users with Access Section: Lists all users who have access to the selected cryptographic module, grouped by user to show multiple role-based permissions.
Helpful Resources: Provides links to documentation and articles explaining module access policy evaluation and includes access to the Module Access Policy Debugger for advanced troubleshooting.

Practical Benefits

This visualization enables ServiceNow customers to:

Quickly assess and audit who can access encrypted data through cryptographic modules on their instance.
Understand and manage platform-level and granular access policies effectively from a single interface.
Identify and update missing or existing module access policies to enforce appropriate security controls.
Gain insights on policy evaluation and troubleshoot access issues using integrated resources.

Use module access policy visualization to view all relevant cryptographic module information on a single UI page.

Key Management Framework admins and cryptographic managers can use the module access policy UI page to view all access control mechanisms related to a single cryptographic module. Use the information collected on this UI page to determine who has access to encrypted information on your instance.

Users with the sn_kmf.admin or sn_kmf.cryptographic_manager roles can access the module access policy visualization UI page by navigating to All > Key Management > Cryptographic Modules > All.

Results Labels

Module access policies contain a Result field, which determines whether to grant access to the selected cryptographic module. The UI page displays a label on elements on the UI page based on the value of that field.


UI label	Result field value	Definition
	Track or Allow	Access is granted to all users, including scripts.
	Reject	Access is denied unless a track module access policy is found.
	StrictReject	Access is denied.
	N/A	The module access policy doesn’t exist on the instance. Access is denied to all.

Global policies


Use the Global policies section to review the module access policies that control platform-level access. Select the Manage button below any of the policies to navigate to that policy record. If the policy doesn't exist, an Add button appears below that entry. Select the Add button to navigate to a new policy record where you can define the policy.


Policy	Definition
Default rule	The default rule policy defines the behavior when no existing rule matches an access request.
Platform backend	The platform backend policy governs internal platform code access to cryptographic keys.
Script engine	The script engine policy governs whether the script engine is permitted to access cryptographic keys.
System user	The system user policy governs whether the system user is permitted to access cryptographic keys.

Helpful resources


Use the Helpful resources section to find links to product documentation, relevant knowledge articles, and a brief description on how module access policies are evaluated on the platform. For a deeper look into how module access policies are evaluated, see Module access policy debugger.

Granular policies


Use the Granular policies section to view lists of module access policies, separated by policy type. Use the tabs above the list to select a policy category to display. Role Scope Scope and Domain (if Domain Separation is active) Script Resource exchange (if the cryptographic module is a Password2 or Column Level Encryption submodule) Identity (if Secrets Management Enterprise is active) By default, the each list displays only active policies. Use the filter icon to change the default filter for the list.

Users with access


Use the Users with access section to see a list of all users that have access to the selected cryptographic module. The list is grouped by user, as single users can posses multiple roles that grant access to a cryptographic module.