High security settings

This article is based on the ServiceNow documentation article. See the original article on the ServiceNow doc site: ServiceNow: High Security Settings.

High Security Settings refer to several security options available in your instance.

The High Security Settings module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, see Requesting High Security Settings activation. To learn more about this plugin, see High security plugin (instance security hardening) in the Instance Security Hardening Guide. Properties for these types of high security settings are available:

Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
Default deny property: Provides a security manager property to control the default security behavior for table access.
Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
Property access controls: Allows security administrators to set the roles required to read and write properties.
Transaction and system logs: Are read only.
Access control rules: Control what data users can access and how they can access it.

High Security Settings also automatically activates the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance.

The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the Now Platform. To learn more about each of these properties, see Instance Security Hardening Settings.

To learn more about each of these properties, see Instance Security Hardening Settings.

→ To set or change High Security Settings properties

There are two ways to set or change High Security Settings properties.

Navigate to System Security > High Security Settings.
Options on the High Security Properties page are Yes or No.
Navigate to the sys_properties.list and search for the property you want to set or change.
Options in the System Properties table [sys_properties.list] are true or false.

Property access control

Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:

read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.

Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them.

Notifications

Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.

Security Warning notification