Skip to main content

ServiceNow Configuration Parameter

TODO

System Property x_a46gh_squidx.allowAclOverride

ServiceNow ACLs from a data export perspective

While ACLs are a valuable tool in restricting data access for human UI users, they cause serious problems when used for technical data exports.

Depending on the data being accessed, we are confronted with sometimes hundreds of Access Control Rules - each of which can prevent access to the requested data. Each of which may be defined or changed by a member of your ServiceNow development team.

Yeah... that is what ACLs are for! What's the problem?!

The problem is, that you will not notice that data is missing. It just won't be there. No error message. No 'access denied'. Best case will be if you don't get any data at all. Then you'll notice that something is wrong. Worst case is when only 10% of your data is missing.

Well... we'll notice the missing 10% data at some point in time. I still don't get why this is critical!

That depends on your use case. One customer exports all known MAC addresses to a Network Access Control system. If your MAC isn't registered, access to the network is denied. That includes about 1000 ATMs. 'we'll notice the missing 10% data at some point in time'? That point in time will come extremely fast - together with the corresponding press coverage.

Long story short: squid by arc46 is often used for critical infrastructure integrations. These usually have no margin for error. ACLs introduce a huge amount of error potential. Don't use ACLs for mission-critical data!

Ok, but what about security?

We take data security extremely seriously.

  • Configurations may be restricted to certain roles
  • Configurations only provide data explicitly granted by views
  • Data may be further restricted by a view filter
  • Encoded Queries are checked for forbidden operators that would allow callers to circumvent the above-mentioned features.

We are fully aware of the fact that squid by arc46 often provides sensitive data and have taken all measures to ensure the safety of that data.

Well then just do it... we can't

Just as arc46, ServiceNow takes its responsibility to its customers very seriously and wants to protect you from applications that could compromise your data security. ServiceNow guidelines therefore require us to respect ACLs by default and arc46 of course respects and follows these guidelines.

According to the ServiceNow guidelines we - as arc46 - may not decide to ignore ACLs. That is up to you, the customer. YOU have to take action and explicitly allow us to directly access data.

This is done be setting the system property x_a46gh_squidx.allowAclOverride to true.

Support restriction

arc46 cannot and will not offer any support unless this system property is set to true.

System Property glide.db.max_view_records

Specify the number of records to return for a database view when the view is used in a script.

A property called glide.db.max_view_records controls the maximum number of rows returned when running a GlideRecord query in a script. The default value for this property is 10000. To change this value, add the property to the System Property [sys_properties] table and edit the number of rows to return.

Source: ServiceNow Washington DC Now Platform Administration - Specify the number of records to return

If this threshold is breached this will be logged as

08.04.2024 16:50:21 Warning 2024-04-08 16:50:21.708 - The current rowCount of 10001 is greater than the value set as system property 'glide.db.max_view_records': 10000. Records could be missing. Please check the amount of records you are expecting.

and the returned JSON will include a warning

{
  "metadata": {
    ...,
    "row_count": 10001,
    "warnings": [
      "The current rowCount of 10001 is greater than the value set as system property 'glide.db.max_view_records': 10000. Records could be missing. Please check the amount of records you are expecting."
    ]
  },
  ...
}

If you see these warnings, please consider increasing the glide.db.max_view_records value or restricting your queries.

Squid intentionally does not sort or page data. What entities are returned if this threshold is breached is totally arbitrary.

Rest and JSON Catch All Transaction Quota Rule

Please check the settings of

Suggested Relations

System Definition > Transaction Quota Rules > REST and JSON Catch All

The default value for Maximum Duration (seconds) of 300 (5 minutes) may cause problems in larger systems. System behavior is undefined if the threshold is breached. It is highly probable that the returned JSON will just abruptly stop.

Please consider increasing this value to 900 (15 minutes) or more depending on your data volume.

See ServiceNow Knowledge Base - Maximum execution time exceeded error while making an inbound REST call

Last updated on