Skip to content

ACL Audit Utility #2302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 19, 2025
Merged

ACL Audit Utility #2302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2f1771d
Create README.md
shivamvish160 Oct 19, 2025
44e4732
Create code.js
shivamvish160 Oct 19, 2025
7c453bd
Update README.md
shivamvish160 Oct 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions Server-Side Components/Background Scripts/ACL Audit Utility/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# ACL Audit Utility for ServiceNow

## Overview

This script audits Access Control Lists (ACLs) in your ServiceNow instance to identify potential security misconfigurations. It helps ensure that ACLs are properly configured and do not unintentionally expose sensitive data.

## Features

- Detects **inactive ACLs**
- Flags ACLs with **no condition or script**
- Warns about **public read access** (ACLs with no roles assigned)
- Logs findings using `gs.info()` and `gs.warning()` for visibility

## Usage

1. Navigate to **System Definition >Scripts - Background** in your ServiceNow instance.
2. Create a new Script Include named `ACL_Audit_Utility`.
3. Paste the contents of `code.js` into the script field.


## Notes

- This script does not make any changes to ACLs; it only audits and logs findings.
- You can extend the script to send email notifications or create audit records in a custom table.
31 changes: 31 additions & 0 deletions Server-Side Components/Background Scripts/ACL Audit Utility/code.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@

// Description: Audits ACLs for potential misconfigurations and logs findings.

var grACL = new GlideRecord('sys_security_acl');
grACL.query();

while (grACL.next()) {
var aclName = grACL.name.toString();
var type = grACL.type.toString();
var operation = grACL.operation.toString();
var active = grACL.active;

// Check for ACLs that are inactive
if (!active) {
gs.info('[ACL Audit] Inactive ACL found: ' + aclName + ' | Operation: ' + operation);
continue;
}

// Check for ACLs with no condition or script
var hasCondition = grACL.condition && grACL.condition.toString().trim() !== '';
var hasScript = grACL.script && grACL.script.toString().trim() !== '';

if (!hasCondition && !hasScript) {
gs.warning('[ACL Audit] ACL with no condition or script: ' + aclName + ' | Operation: ' + operation);
}

// Check for ACLs granting 'read' access to 'public'
if (operation === 'read' && grACL.roles.toString() === '') {
gs.warning('[ACL Audit] Public read access detected: ' + aclName);
}
}
Loading