Another is that most of the articles in the ServiceNow Knowledge Base are created by secure employees using what ServiceNow calls User Criteria. This is a security feature that automatically denies access to KB articles unless a User Condition is set that includes users to allow access. This capability was added in March, 2020. However, Costello said, many ServiceNow enterprise instances have been around for a long time, causing them to retain an insecure value of ‘allowing public access by default’. This was the case in about 60% of the business cases he analyzed. Even if the site is configured securely, he added, simply specifying a ‘You can donate’ area in KB will still allow unauthorized users to read unsecured articles within it.
In addition, Out-of-the-box User Criteria can be misleading to the untrained eye, Costello said. Although there is a clear ‘Guest User’ criteria for granting unauthorized access, many administrators are unaware that other unspecified criteria also grant access to unauthorized users.
And more often than not, when the User criteria is set, it’s on the allow-only list (‘Can Read’), says Costello. The negation list (‘Cannot Read’) is ignored as a result. Due to the complex nature of the User Terms, this can allow external users to log in and be granted access.
Source link