Scripting Governance tool and Conditional Script Writer group overviewIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Understand the Scripting Governance tool and Conditional Script Writer group introduced in the Zurich release, including how automatic user provisioning works and how to manage scripting permissions. The Scriping Governance tool provides granular control over who can edit scripts and scriptable fields. Users are automatically added to the Conditional Script Writer group during the Zurich upgrade to maintain existing access. This article explains how the feature works and how to configure it. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Beginning with the Zurich release Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } What is the Scripting Governance tool? The Scripting Governance tool introduces granular control over who can edit any type of script. Several ACLs on *.[script] restrict access to scripting capabilities by denying scripting access unless users have the snc_required_script_writer_permission role explicitly assigned. The tool monitors any action where a user saves data into a field that could contain executable code. This includes: Business rulesClient scriptsScript includesUI policiesBackground scriptsHTML fields that allow script tagsAny other scriptable elements Unlike traditional controls that only track changes to explicit scripting artifacts, the Scripting Governance tool monitors any modification to fields capable of holding executable content. Important: Even administrators who typically have full access cannot modify scriptable elements unless they are members of the Conditional Script Writer group or have the snc_required_script_writer_permission role. What is the Conditional Script Writer group? The Conditional Script Writer group controls which users can edit scripts and scriptable fields. Members of this group are granted the snc_required_script_writer_permission role. During the Zurich upgrade, all current users meeting the criteria were automatically added to this group to maintain continuity with previous versions and prevent users from losing access to create or edit scripts. How does automatic provisioning work? The system property glide.security.scripting_role.auto_provisioning controls whether users are automatically added to the Conditional Script Writer group. When set to true (the default value): Users are automatically provisioned with scripting permissions.When set to false: Automatic assignment is disabled. Admins must manually grant the role to users who require scripting access. Note: Once this property is set to false, it cannot be reverted back to true through the UI. See the Workaround section if you need to re-enable auto-provisioning. Which users are added to the group? The following rules determine whether a user is added to the Conditional Script Writer group: If the explicit role plugin is enabled: External users are not added to the group.Internal users must have at least one additional role besides snc_internal to be included. If the explicit role plugin is disabled: Users must have at least one role to qualify for group assignment. What scheduled jobs manage provisioning? Two scheduled jobs in sys_trigger manage provisioning of users into the Conditional Script Writer group: Add Users to Conditional Script Writer Group This job performs the initial provisioning of existing users into the Conditional Script Writer group immediately after upgrading to Zurich.It runs once, then the platform automatically disables it.Its purpose is to verify that all existing users retain their previous level of scripting access after the upgrade. Update Users in Conditional Script Writer This job handles ongoing automatic provisioning after the initial upgrade.It adds users to the Conditional Script Writer group only if the system property glide.security.scripting_role.auto_provisioning is set to true. Note: The system property glide.security.scripting_role.auto_provisioning is created dynamically after the initial provisioning job completes. Because it is created at runtime, the property has different sys_ids across different instances. How does this affect existing access? This role works on top of existing roles and access controls. It does not grant additional access to tables or records. Example 1: An ITIL user who does not have access to client scripts or business rules for certain tables will not gain access by being added to the Conditional Script Writer group. Example 2: An admin who has access to scripts and business rules will not be able to edit them unless they also have this role or are assigned to this group. Example 3: A user with access to HTML fields who does not have this role can read the fields but cannot edit them. Why are HTML fields included? HTML fields can contain executable code, such as script tags. The Scripting Governance tool monitors any action where a user saves content in a field that has the potential to contain executable code. The tool's purpose is to identify anyone who writes to a field secured by script-writing permissions, regardless of their intent. The scan can detect users who have modified records containing HTML or other field types capable of holding executable content. Why is the auto-assignment toggle switch not working in the dashboard? The toggle for auto-assignment in the Scripting Governance Dashboard does not reflect the actual property value. The toggle appears inactive regardless of whether glide.security.scripting_role.auto_provisioning is set to true or false. This was due to defect in the Scripting Governance tool UI but is fixed in the Australia release. To work around this issue, run the following script in background scripts to set the auto-provisioning value: SNC.ScriptingGovernanceUtils.forceAutoProvisioningPropertyUpdate(true); Note: Replace true with false to disable auto-provisioning, or true to enable it. How do I re-enable auto-provisioning after disabling it? If you disabled the auto-provisioning property and need to re-enable it, run the following script in background scripts: SNC.ScriptingGovernanceUtils.forceAutoProvisioningPropertyUpdate(true); This programmatically recreates or updates the property to enable auto-provisioning. General guidelines for managing scripting permissions Disable the auto-assign property and carefully review which users genuinely require scripting capabilities.Remove users who do not need scripting access from the Conditional Script Writer group to maintain a more secure environment.Periodically audit group membership to verify only appropriate users have scripting permissions. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Script Governance tool documentation New users are not automatically added to the Conditional Script Writer group