Module access policy debugger

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Module Access Policy Debugger

    The Module Access Policy (MAP) Debugger in ServiceNow Yokohama release helps you analyze and understand why users or scripts are granted or denied access to cryptographic modules. MAPs enforce instance-level controls, requiring explicit permissions for encryption and decryption operations. The debugger logs detailed evaluations of these policies whenever a caller requests access to cryptographic modules, enabling efficient troubleshooting and policy validation.

    Show full answer Show less

    Key Features

    • Access Control for Debug Logs: Only users with snkmf.admin and snkmf.cryptographicmanager roles can access the debugger by default. You can extend access to additional roles using the glide.kmf.moduleaccesspolicies.debugger.authorized.roles system property.
    • Enable/Disable Debugging: Debug logging for MAP evaluations can be toggled via the Session Debug interface under Diagnostic settings, allowing you to activate it when needed and disable it after troubleshooting.
    • Real-Time Log Viewing: After enabling debugging, you can trigger MAP evaluations by navigating to relevant pages. Debug messages appear at the bottom of the page, showing detailed policy evaluation steps and results.
    • Impersonation Support: You can impersonate other users to see their perspective on access decisions. This requires the MAP role type to have the Impersonation field enabled.
    • Comprehensive Log Details: Logs include the cryptographic module involved, each evaluated policy with details (name, type, target, operation, result), and the final access decision. Icons identify message types such as access granted/denied or informational messages.

    Practical Use and Outcomes

    ServiceNow customers can leverage the MAP Debugger to:

    • Identify exactly which MAPs are evaluated and why a cryptographic module access request is allowed or denied.
    • Quickly troubleshoot access issues by reviewing structured, clear log entries and message icons.
    • Control and monitor access to cryptographic modules securely by managing debugger access roles.
    • Use impersonation to verify access policies from the perspective of other users, ensuring correct policy application.

    Ultimately, this tool increases transparency and control over cryptographic module access, improving security and compliance in your ServiceNow instance.

    Use the module access policy debugger to review logging information and understand why your users are or aren’t granted access to an encryption context.

    Module access policies (MAPs) define instance-level controls for access to cryptographic modules. Callers (for example, a user or script) require explicit access to use a cryptographic module for encryption and decryption. Use the debugger to see which policies are evaluated when a caller attempts to access a cryptographic module. You can also use the debugger and learn why access is or isn’t being granted.

    This flowchart shows how your instance evaluates requests for access to a cryptographic module.

    Flowchart showing the how access to cryptographic modules are evaluated

    Control access to the debug logs

    Access to the module access debug logs is determined by role. Users with the sn_kmf.admin and sn_kmf.cryptographic_manager roles have access to the debugger. Grant access to other roles using the glide.kmf.module_access_policies.debugger.authorized.roles system property. The value of this property is a comma-separated list of roles that access the debug logs.

    Enable or disable the debugger

    To enable debug logging messages for module access policies, navigate to All > Diagnostics > Session Debug > Debug Module Access Policies > .

    When you’re finished debugging, you can disable the logging messages by navigating to All > Diagnostics > Session Debug > Disable All > .

    Access the logs

    After enabling debugging, navigate to a page that triggers a MAP evaluation to view the MAP debug logs. Debug messages appear at the bottom of the page.
    Tip:
    You can use impersonation to troubleshoot access for other users. For details on impersonation, see Impersonating users. To view the debug logs from the perspective of another user, make sure that your module access policies with the role type have the Impersonation field set as true.
    Example debug output

    In this example, a caller invokes two access requests to the global.fuji cryptographic module. A symmetric encryption, which is granted, and a symmetric decryption, which was denied.

    Understanding log entries

    Debugging information is structured using this format.

    1. This first line displays the cryptographic module receiving the access request.
    2. The lines between the first and last line displays the evaluated MAPs in the order that they were evaluated, and includes their name, type, target, granular operation, and result.
    3. The last line displays the Policy Decision (if applicable) and the net access result for the caller (whether the caller is granted access).

    Each line starts with an icon that indicates its message type.

    Table 1. Message icons
    Icon Message type
    Informational icon Informational message
    MAP grant access icon Module access policy grants access
    MAP deny access icon Module access policy denies access
    Caller grant access icon Caller is granted access
    Caller deny access icon Caller is denied access
    No MAP icon No module access policy to evaluate

    Debug log examples

    Access granted message
    Debugging output for granted access
    Access denied message
    Debugging output for denied access
    Access denied (No module access policies to evaluate
    Debugging output for denied access due to no MAP policies
    Access denied (insufficient privileges)
    Debugging output for denied access due to insufficient privileges