Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3]

    Theglide.script.secure.ajaxgliderecordsystem property enforces Access Control List (ACL) validation when server-side records are accessed via GlideAjax APIs from client scripts. This ensures that users can only query data they are authorized to view, preventing unauthorized data exposure through client-side GlideAjax calls.

    Show full answer Show less

    This feature is critical for maintaining security, especially when using the AJAXGlideRecord (GlideAjax - Client) API, which enables querying server data from the client side in a manner similar to server-side GlideRecord queries.

    Key Features

    • ACL Enforcement on Client-Side API Calls: When enabled, all GlideAjax API calls validate ACLs, restricting data access to what the logged-in user is permitted to see.
    • Secure Default Setting: The property defaults to true, ensuring ACL checks are enforced by default, and the setting is a safe harbor property that cannot be reverted once changed.
    • GlideRecordSecure Recommendation: For enhanced security, ServiceNow recommends using GlideRecordSecure instead of GlideRecord, as it enforces stricter ACL controls out-of-the-box.
    • High Security Risk Without ACL Checks: Without ACL validation, GlideAjax calls can expose sensitive data to unauthorized users, representing a significant security risk.

    Practical Guidance for ServiceNow Customers

    • Ensure ACLs Are Properly Configured: Create and maintain appropriate ACLs for all script includes, processors, and other components invoked by GlideAjax calls to guarantee proper authorization.
    • Implement Authorization Methods: Use methods such as canRead(), canWrite(), canCreate(), and canDelete() in your server-side scripts to validate user permissions before accessing records.
    • Use GlideRecordSecure for Sensitive Data: Prefer GlideRecordSecure in server-side scripts accessed via GlideAjax to ensure ACL checks are strictly enforced.
    • Understand the Impact: Improper ACL configuration can lead to unauthorized data access. Review your ACLs and audit client-side GlideRecord transactions regularly to mitigate risks.

    Additional Notes

    • The property cannot be reverted once enabled, so careful consideration is required before changing its value.
    • This property is part of a broader set of security properties controlling script execution originating from the client, such as glide.script.use.sandbox and glide.script.allow.ajaxevaluate.

    Use the glide.script.secure.ajaxgliderecord property to perform access control rule (ACL) validation when server-side records, such as tables, are accessed using GlideAjax APIs within a client script.

    From client scripts, it is possible to query arbitrary data from the server using the AJAXGlideRecord (GlideAjax - Client) API, by using a syntax such as a server-side glide record. It is a powerful and useful tool in many deployments.

    If you choose to apply Access Control Lists (ACL) to GlideAjax API calls, you can only query data to which the currently connected user has access. For example, if an ESS user who has no rights to read the cmn_location table is logged in, any GlideAjax API call to that table would fail.

    If the ServiceNow AI Platform is running without GlideAjax ACL call checking, an API can return information that the currently logged in user could not otherwise access.

    Use GlideRecordSecure when querying data to ensure the highest level of security. GlideRecord relies on ACL enforcement through configurations whereas GlideRecordSecure applies stricter security controls. GlideRecordSecure offers a more secure, out-of-the-box solution for handling sensitive data.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.script.secure.ajaxgliderecord
    Configuration type System Properties (/sys_properties_list.do)
    Category Access control
    Purpose Ensure security ACLs are checked and validated even when the records are accessed through Client Side APIs.
    Recommended value true
    Default value true
    Security risk rating 8.1
    Functional impact This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact. For more details on its impact, and how to identify it, see Refer to the Audit and review client-side GlideRecord (AJAXGlideRecord) transactions [KB0550828] article in the HI Knowledge Base .
    Security risk (High) Through client scripts, it is possible to query arbitrary data from the server through the GlideAjax API. Server-side resources can be accessed without proper authorization, so using ACL validation helps the application validate the request based on the configured authorization.
    Workaround

    Ensure that proper ACLs are created for script includes, processors, and other entities used by a GlideAjax (AJAXGlideRecord) API so that it executes under proper authorization.

    Implement methods like canRead (), canWrite(), canCreate (), and canDelete () to perform user authorization before accessing table records using GlideRecord.

    Another method is to use GlideRecordSecure. The class is inherited from the GlideRecord Server that performs the same functions as GlideRecord, and also enforces ACLs.
    References Apply ACLs to AJAXGlideRecord (client-side Glide record)
    This property belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.