Securing Reference Qualifier Fields in ServiceNowIssue When performing a lookup on reference qualifier fields in ServiceNow, there is a concern about potential payload manipulation, which could lead to unauthorized access to data.SymptomsUsers observe network requests to angular.do?sysparm_type=sp_ref_list_data when entering values in reference fields.Concerns about the security of data access through these requests.FactsThe sys_id parameter is used to uniquely identify records in ServiceNow.Access to data is controlled by Access Control Lists (ACLs).Proper configuration of roles and permissions is essential to prevent unauthorized data access.ReleaseApplicable to all current ServiceNow releases where reference qualifier fields are used.CausePotential misconfiguration of ACLs or roles, leading to concerns about unauthorized data access through manipulated payloads.ResolutionReview User Roles: Ensure roles assigned to users follow the principle of least privilege to minimize access to sensitive data. Utilize Access Analyzer: Use the Access Analyzer tool to review and understand user permissions and data access patterns. Configure ACLs: Properly configure ACLs to restrict data access based on user roles and permissions. Secure sys_id Usage: Ensure that the sys_id parameter is not exploited to gain unauthorized access to data. Refer to Documentation: Consult ServiceNow documentation for guidance on Access Analyzer, ACL debugging tools, and access control list rules: Using Access AnalyzerACL Debugging ToolsConfiguring an ACL rule Use ServiceNow Security Center: Leverage the ServiceNow Security Center to assess and enhance the security posture of your instance, and configure security-related system properties and plugins Related LinksServiceNow Security CenterInstance Security Best Practices (Download PDF Guide)