Protection Policy as applied to Script Include records is not honored on target instance when submitted by update setSummaryUsers may unexpectedly find that the "Protection Policy" as set on certain record types, such as Script Include records, is not honored, and thus these records are still visible and editable by users having the correct ACL permissions, if the objects are transferred to the target instance through an Update Set.ReleaseThis happens in all known versions of the ServiceNow product, past versions as well as all currently known versions.InstructionsAlthough not well documented, there is a slight inconsistency with how the "Protection Policy" on scoped records (such as Script Include [sys_script_include]) is handled in transferring of these objects to another instance from a developer instance. If the record with a particular Protection Policy is transferred from the source instance to the target instance through publication of it's associated application to the ServiceNow Store, it will, as expected, successfully honor that Protection Policy on the target instance, as it was originally set on the source instance. Thus, records that are set with a read-only Protection Policy will remain uneidiable on the target instance and those with a "Protected" Protection Policy set will not be readable on the target instance of an install. However, if that same object is transferred through an Update Set (or, a direct XML file export/import), that Protection Policy will NOT be so honored on the target instance. Thus, regardless of the Protection Policy setting, that record will be viewable and editable by users with the appropriate ACL permissions for that record, and thus the Protection Policy as set for that object on the target instance will be ignored. This occurs if the entire application is packaged as a single update set, exported as an application, and later installed on another target instance, or that object is part of an update set which contains a smaller subset of objects associated to an already installed application on that target instance. This is currently the known expected and intended result as transferal of these records through an update set does not run the same internal functionality as does the ServiceNow publishing engine. This is one of the reasons why it is usually recommended, if possible, for our customers to manage their application management through the use of publication and installation from the ServiceNow Store (or Federal Store). Application objects that are thus transferred through the normal publication process will thus retain any Protection policy which were thus set on the developer, publishing instance. Of course, those with the proper rights could also modify the Protection Policy on the records on the target instance, however this is also not recommended as this would cause the record on the target instance to be registered as "customized" and would not then automatically receive updates in later potential updates from another instance.