ACL Audit Utility (#2302)

shivamvish160 · web-flow · commit 7ac71221f321 · 2025-10-19T08:48:10.000-07:00
diff --git a/Server-Side Components/Background Scripts/ACL Audit Utility/README.md b/Server-Side Components/Background Scripts/ACL Audit Utility/README.md
@@ -0,0 +1,24 @@
+# ACL Audit Utility for ServiceNow
+
+## Overview
+
+This script audits Access Control Lists (ACLs) in your ServiceNow instance to identify potential security misconfigurations. It helps ensure that ACLs are properly configured and do not unintentionally expose sensitive data.
+
+## Features
+
+- Detects **inactive ACLs**
+- Flags ACLs with **no condition or script**
+- Warns about **public read access** (ACLs with no roles assigned)
+- Logs findings using `gs.info()` and `gs.warning()` for visibility
+
+## Usage
+
+1. Navigate to **System Definition >Scripts - Background** in your ServiceNow instance.
+2. Create a new Script Include named `ACL_Audit_Utility`.
+3. Paste the contents of `code.js` into the script field.
+
+
+## Notes
+
+- This script does not make any changes to ACLs; it only audits and logs findings.
+- You can extend the script to send email notifications or create audit records in a custom table.
diff --git a/Server-Side Components/Background Scripts/ACL Audit Utility/code.js b/Server-Side Components/Background Scripts/ACL Audit Utility/code.js
@@ -0,0 +1,31 @@
+
+    // Description: Audits ACLs for potential misconfigurations and logs findings.
+
+    var grACL = new GlideRecord('sys_security_acl');
+    grACL.query();
+
+    while (grACL.next()) {
+        var aclName = grACL.name.toString();
+        var type = grACL.type.toString();
+        var operation = grACL.operation.toString();
+        var active = grACL.active;
+
+        // Check for ACLs that are inactive
+        if (!active) {
+            gs.info('[ACL Audit] Inactive ACL found: ' + aclName + ' | Operation: ' + operation);
+            continue;
+        }
+
+        // Check for ACLs with no condition or script
+        var hasCondition = grACL.condition && grACL.condition.toString().trim() !== '';
+        var hasScript = grACL.script && grACL.script.toString().trim() !== '';
+
+        if (!hasCondition && !hasScript) {
+            gs.warning('[ACL Audit] ACL with no condition or script: ' + aclName + ' | Operation: ' + operation);
+        }
+
+        // Check for ACLs granting 'read' access to 'public'
+        if (operation === 'read' && grACL.roles.toString() === '') {
+            gs.warning('[ACL Audit] Public read access detected: ' + aclName);
+        }
+    }
