ACC Plugin-specific Allow ListsSummarySome out-of-box Agent Client Collector (ACC) Plugins (aka Assets) contain an allow list specific to the plugin. Table of Contents ExamplesThe expected behaviourThis should not be an issue for you, unless you...Additional Information: Examples You will see the files within the cache folder of your ACC installs. These lists are often changed between app versions. This entry would allow checks to run check-head-redirect.rb with any combination of arguments: C:\ProgramData\ServiceNow\agent-client-collector\cache\monitoring-plugin-common\allow_list\check-allow-list.json (ACC-M v3.4.0) [ { "args":[ "" ], "exec":"check-head-redirect.rb", "skip_arguments":true... The following would only allow these 3 specific sets of arguments for ACC-F and ACC-V's Host Discovery. In this example you would be unable to run just the basic_inventory child script in a custom check. This example is already out-of-date as I write, because the August 2022 release versions changed this command to allow any arguments. C:\ProgramData\ServiceNow\agent-client-collector\cache\acc-visibility-modules\allow_list\check-allow-list.json (ACC-V 2.2.0) [ { "args": [ "--compact --select=basic_inventory,file_systems,serial_numbers,network_adapters,tcp_connections,storage_devices,running_processes,local_users", "--compact --select=basic_inventory,installed_software", "--compact --select=basic_inventory,installed_software,sam_advanced" ], "exec": "endpoint_discovery.rb", "skip_arguments": false },... The expected behaviour The plugin's allow list applies only to the commands/scripts and their arguments when the scripts in that plugin are runFor any particular command, the plugin allow list will take precedence over anything in the global allow list specified in the acc.yml. e.g. If the global allow list and plugin allow list include the same command but with different arguments, only the arguments specified in the plugin allow list are allowed.If a global allow list is used, then all plugin allow lists will also be used too.Plugin-specific allow lists cannot be turned off individually.If an command in the allow list does not have "skip parameters" set to true, then only the specifically listed parameters are allowed for those commands.Only if the global allow list is turned off would the ACC Plugin-specific allow lists also not be used.To change a plugin specific allow list would require editing the file within the tar.gz, which would require re-packing and signing the plugin file, and it will then become a customisation that will skipped in future upgrades of the out-of-box plugin versions, potentially causing code mismatches and issues. This should not be an issue for you, unless you... Run commands in custom checks re-using scripts in out-of-box ACC Plugins, but with different arguments that are not covered by the plugin's allow list. You may need to create a custom plugin, copying come scripts into it from the OOTB plugin, to avoid customising the OOTB plugin file. Have upgraded some ACC-related Instance Apps but not all of them at the same time. e.g. ACC-F upgraded, but ACC-V still on a previous version. There are interdependencies between the scripts in the plugins of these apps, so all ACC apps should be upgraded at the same time, and push a new global allow list out using your automation if necessary to match. If you don't do this, you may see "check command denied by the agent allow list" errors from out-of-box checks. Additional Information: ServiceNow does not support turning off the allow list function. It can be done, perhaps when testing or debugging, but would be an unacceptable security risk to deliberately set this in production.There are no plans to add a feature that would allow pushing new global allow lists, or acc.yml allow list settings, to ACC installs via the instance. This would defeat the purpose of the allow list. If a bad actor added unauthorised scripts to the instance checks or plugins, you don't want to enable making the changes to allow them to run to also be possible from instance-side.