Script Governance tool : Conditional Script Writer Group FAQsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Script governance and 'Conditional Script Writer' group is newly introduced in Zurich and users will be added automatically through a job during Zurich upgrade . Please read below to understand what it is, what it does,How to stop auto provisioning etc. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Zurich onwards Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The script governance tool introduced in zurich onwards releases. https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/scripting-governance.html?_ga=2.251061121.688091895.1760016226-843077663.1759998956 As part of this tools few acls are added to restrict access on scripting capabilities"These ACLs on *.[script] are meant to improve platform security by denying access to scripting unless users have the role "snc_required_script_writer_permission provided specifically". There is a system property 'glide.security.scripting_role.auto_provisioning' , if this is set to true.The users are automatically added to the Conditional Script Writer group/snc_required_script_writer_permission role. Generally this is set to true OOTB ,but you can set this to false which will stop the role/group from being auto assigned to users and prevent users from being added to the group and then you can grant the role manually as and when neededPlease note that once this is set to false ,you cannot set it back to true. In order to maintain current permissions, all existing and new users were automatically added to the Conditional Script Writer group, granting them scripting permissions equivalent to lower versions.This prevented users coming in with tickets/issues saying they are not able to access/edit scripts/client scripts/ui policies/business rules etc The basic rule which is followed to assign users to this group is If explicit role plugin is enabled then external user will not be part of script writer group, internal user should have 1 more role along with snc_internal role.If explicit role plugin is disabled then user should have minimum 1 role to add to the group It is recommended that the auto-assign function be disabled, and customers review which users actually require scripting access.Users who do not require scripting access should be removed from the group Scripting Governance Tool provides the opportunity for you to now control who can edit any kind of scripts,with their existing access.So even Admins who has access to everything cannot edit any scripts like ui policies,client scripts,business rule,background scripts, script includes going forward unless they are a part of Conditional Script Writer/have the role snc_required_script_writer_permission. Scripting Governance Tool does not just count the creation or modification of scripts,like Business Rules or Client Scripts only, instead, it accounts any action where a user saves content in a field that has the potential to contain executable code. An example is executable code in form of script tag in html.The tool's purpose is to identify anyone who writes to a field that is secured by script-writing permissions, regardless of their intent. The scan can identify users who have modified records containing specific field types, like HTML fields which can consist of script tag and any modification to it can be considered as scripting action Question: Although property glide.security.scripting_role.auto_provisioning is set to true or false in customer instances, the Toggle for auto assignment in the Scripting Governance Dashboard is not Active. Shouldn't the toggle for auto assignment be ON if property is true and When this property is set to false, then also the auto toggle is false.Why is this toggle present if you cannot do anything with it**Answer:** This is due to a defect in Scripting governance tool UI. Please check this defect [PRB1902529-SGT: Auto-assignment feature is not working as expected.](https://support.servicenow.com/nav_to.do?uri=problem.do?sys_id=b31203bdc34e2250757171dc7a013143%26sysparm_view=text_search)The dev team has already looked into the issue and it is fixed in Australia releaseWorkaround is to execute the below script in script backgroundSNC.ScriptingGovernanceUtils.forceAutoProvisioningPropertyUpdate(true);Note: Execute the above code in the script background ,and put true/false in the brackets to set the auto provisioning on/offThere are two jobs present in sys_trigger related to conditional script writer group'Add Users To Conditional Script Writer Group' and 'Update Users in Conditional Script Write' . Add Users To Conditional Script Writer Group' is the job that does the initial provisioning(addition) of existing users to Conditional script writer groups immediately after upgrade to Zurich. This job will be disabled after it is run once.'Update Users in Conditional Script Writer' job auto adds the users to Conditional script writer group after initial provisioning if 'glide.security.scripting_role.auto_provisioning' property is true.glide.security.scripting_role.auto_provisioning' property gets created dynamically after initial provisioning of users to the conditional script writer group is completed. Hence they have different sys_ids in different instances.Once disabled, You can enable the auto provisioning back by using below script.SNC.ScriptingGovernanceUtils.forceAutoProvisioningPropertyUpdate(true); Note: This article will be updated with FAQs ,once available.Kindly always see teh latest version of this article Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Please see below kB articleshttps://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2538150https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB24883