30% of Exam~18 questions

Database Management & Platform Security

This is the LARGEST domain on the CSA exam (30%). It covers tables, fields, ACLs, data policies, UI policies, business rules, client scripts, and the critical evaluation order. Master this domain thoroughly.

Tables & Schema

Everything in ServiceNow is stored in tables. Understanding the table structure and dictionary is fundamental to administration.

Core Table Concepts

Tables are stored in the sys_db_object table.
Fields (columns) are defined in the Dictionary [sys_dictionary].
Every record has a sys_id — a unique 32-character GUID primary key.
Table inheritance — child tables extend parent tables and inherit all fields.
Application scope determines which application owns a table.

Common Field Types

Type	Description	Example
String	Free text (limited length)	Short description
Integer	Whole numbers	Priority, State
Reference	Foreign key to another table	Assigned to (→ sys_user)
Choice	Dropdown with predefined values	State, Category
True/False	Boolean checkbox	Active, VIP
Date/Time	Timestamp	Opened at, Resolved at
Journal	Append-only text fields	Work notes, Comments
Glide List	Comma-separated sys_ids	Watch list

📝Exam Tip

Reference fields store the sys_id of the target record. They display the display value but store the sys_id. Journal fields (Work Notes, Comments) are append-only — previous entries cannot be edited. Understanding field types is critical for scripting questions.

Access Control Lists (ACLs)

ACLs (Access Control Rules) are the primary security mechanism in ServiceNow. They control who can read, write, create, and delete records at the table, field, and row level.

ACL Evaluation Order

Field-level ACL on the specific table (most specific).
Field-level ACL on a parent table.
Table-level ACL on the specific table.
Table-level ACL on a parent table.
Global default (wildcard * ACL).

ACL Rule Structure

Operation — read, write, create, delete.
Name — table.field (e.g., incident.priority, incident.*, *).
Condition — Filter conditions the record must match.
Role — Roles required (can require one or more).
Script — Advanced conditions evaluated with JavaScript.
ALL matching ACLs must evaluate to true for access to be granted.

🔴Critical Concept

ACLs are RESTRICTIVE by default. ALL matching ACLs must pass — not just one. If three ACLs match a request, all three must evaluate to true. The admin role bypasses ALL ACL checks. This is heavily tested.

SCENARIO

A user with the 'itil' role cannot see the Priority field on incidents, but other itil users can. What should you check?

Answer

Check for a field-level ACL on incident.priority. There may be an ACL that requires a specific role or condition that this user doesn't meet. Also check if there's a UI Policy or Data Policy hiding/making the field read-only. Remember: ALL matching ACLs must pass, so even if one ACL grants access, another matching ACL could block it.

UI Policies

UI Policies dynamically change form behavior based on field values. They run CLIENT-SIDE and control field visibility, mandatory status, and read-only status.

UI Policy Capabilities

Make a field mandatory (required).
Make a field read-only (non-editable).
Show/hide a field on the form.
Set a field value when conditions are met.
Can be configured to reverse the action when conditions are no longer met.
Runs on form load and onChange events.

UI Policy Configuration

Table — Which table the policy applies to.
Conditions — When the policy activates (e.g., Priority = 1).
UI Policy Actions — What happens (set mandatory, read-only, visible, or value).
Reverse if false — Whether to undo the action when conditions no longer match.
Inherit — Whether child tables also get this policy.
Order — Execution order (lower numbers run first).

📝Exam Tip

UI Policies are CLIENT-SIDE only. They can be bypassed by server-side scripts, APIs, or import sets. If you need server-side enforcement, use Data Policies instead. UI Policies run AFTER Client Scripts (onChange).

Data Policies

Data Policies enforce data quality rules on the SERVER SIDE. Unlike UI Policies, they cannot be bypassed by APIs, import sets, or scripts.

Data Policy vs. UI Policy

Feature	UI Policy	Data Policy
Runs on	Client-side (browser)	Server-side
Enforced via API	No	Yes
Enforced via Import Sets	No	Yes
Can show/hide fields	Yes	No
Can set field values	Yes	No
Can make mandatory	Yes	Yes
Can make read-only	Yes	Yes
Bypass risk	High (client-side only)	Low (server-enforced)

🔴Key Concept

Use Data Policies when you MUST enforce rules regardless of how data enters the system (UI, API, import). Use UI Policies for user-facing form behavior. Many exam questions test when to use each.

Business Rules

Business Rules are server-side scripts that run when records are inserted, updated, deleted, or queried. They are one of the most powerful configuration tools and heavily tested on the exam.

Business Rule Types (When)

Business Rule Execution Timing

When	Timing	Can Modify Record?	Use Case
before	Before database operation	Yes (current object)	Validate/modify data before save
after	After database operation	No (already saved)	Trigger side effects, create related records
async	After, in background	No	Heavy processing, integrations, email
display	When form loads	No (read-only)	Calculate display values, add info messages

Key Business Rule Objects

current — The record being processed.
previous — The record's values BEFORE the update (only in update operations).
current.operation() — Returns 'insert', 'update', or 'delete'.
current.setAbortAction(true) — Cancels the database operation (before rules only).
gs.addInfoMessage() / gs.addErrorMessage() — Display messages to the user.

📝Exam Tip

Before Business Rules can modify 'current' and abort the operation. After Business Rules CANNOT modify the triggering record (it's already saved). Use 'current.setAbortAction(true)' only in before rules to prevent saves. The 'previous' object is only available on update operations, NOT insert.

SCENARIO

You need to automatically set the Priority of an incident to 1 - Critical whenever the Impact is set to High and the Caller is a VIP. When should this Business Rule run?

Answer

Use a 'before' Business Rule on the incident table. It should run on insert and update, with the condition: Impact = High AND Caller.vip = true. In the script, set current.priority = 1. A 'before' rule is needed because you want to modify the record BEFORE it is saved to the database.

Client Scripts

Client Scripts run in the user's browser (client-side) and control form behavior, field validation, and user interactions. They use the GlideForm (g_form) API.

Client Script Types

Type	When It Runs	Common Use
onLoad	When the form loads	Set defaults, show/hide sections, display messages
onChange	When a specific field value changes	Auto-populate fields, validate input, show alerts
onSubmit	When the form is submitted (before save)	Validate required data, confirm with user
onCellEdit	When a field is edited in list view	Validate inline list edits

Key Client-Side APIs

g_form — GlideForm API: getValue, setValue, setMandatory, setVisible, setReadOnly, addInfoMessage.
g_user — GlideUser API: userName, userID, hasRole, hasRoleExactly.
g_list — GlideList API: for list manipulation (rarely tested).
GlideAjax — Make asynchronous server calls from client scripts.

⚠️Warning

Client Scripts should NEVER use synchronous GlideRecord calls (gr.query() on the client). This blocks the browser and degrades performance. Use GlideAjax for server-side data queries from client scripts.

📝Exam Tip

onChange scripts receive: control (the field element), oldValue, newValue, and isLoading (true on form load). Check isLoading to avoid running logic on initial form load. Use g_form.getValue('field') for Reference fields — it returns the sys_id, not the display value. Use g_form.getDisplayValue('field') for the display value.

Evaluation Order (CRITICAL)

Understanding when each type of server-side and client-side logic runs is CRITICAL for the CSA exam. Many questions test whether you know the correct execution order.

Client-Side Execution Order (Form Load)

Client Scripts (onLoad) — Runs first when the form loads.
UI Policies — Evaluate after onLoad scripts. Set field visibility, mandatory, read-only.
Display Business Rules — Provide additional data/messages to the form.

Client-Side Execution Order (Field Change)

Client Scripts (onChange) — Fires when a field value changes.
UI Policies — Re-evaluate conditions based on the new field value.

Server-Side Execution Order (Record Save)

Client Scripts (onSubmit) — Validate and potentially cancel the save.
Before Business Rules — Server-side validation and data modification.
Database operation — Record is inserted/updated/deleted.
After Business Rules — Trigger side effects after the save.
Async Business Rules — Run in background after the transaction commits.

🔴Critical — Memorize This

The full save order: Client onSubmit → Before Business Rule → DB Operation → After Business Rule → Async Business Rule. UI Policies run AFTER Client Scripts on the client side. Data Policies are checked during the server-side operation. This evaluation order is one of the most frequently tested topics on the CSA exam.

When to Use What

Need	Use This	Why
Show/hide field on form	UI Policy	Client-side, no-code, reversible
Make field required everywhere	Data Policy	Server-enforced, cannot be bypassed
Auto-populate field on change	Client Script (onChange)	Immediate UI feedback
Validate before save	Business Rule (before)	Server-enforced validation
Create related record after save	Business Rule (after)	Record must exist first
Send notification after save	Business Rule (async) or Flow	Non-blocking, background processing
Complex multi-step automation	Flow Designer	No-code, built-in error handling

Platform Security Best Practices

Security is woven throughout the platform. Beyond ACLs and roles, there are several security features tested on the exam.

Security Features

High Security Settings — Plugin that enables additional security features (IP restrictions, password policies, session management).
Contextual Security — ACLs that evaluate based on the context of the request (who, what, where).
Encryption — Field-level encryption for sensitive data (SSN, credit card numbers).
IP Access Controls — Restrict access based on IP addresses/ranges.
Multi-Factor Authentication (MFA) — Additional authentication layer.
Security Incident Response — Track and manage security events.

Principle of Least Privilege

Always assign the minimum roles and access necessary. Avoid granting the admin role broadly. Create custom roles that contain only the specific permissions needed.

📝Exam Tip

The exam often presents scenarios where you must choose the most restrictive, least-privilege solution. Always pick the option that grants only the minimum access needed. Custom roles containing specific permissions are preferred over broad roles like admin.

Key Takeaways

ACLs evaluate from most specific to least specific. ALL matching ACLs must pass. The admin role bypasses all ACLs.
UI Policies are client-side only (form behavior). Data Policies are server-side enforced (data integrity).
Before Business Rules run before the DB operation and CAN modify the record. After rules CANNOT modify it.
Client Scripts: onLoad → onChange → onSubmit. UI Policies evaluate AFTER Client Scripts.
Full save order: onSubmit → Before BR → DB Operation → After BR → Async BR. MEMORIZE this.
Never use synchronous GlideRecord on the client. Use GlideAjax instead.
Reference fields store sys_id. Journal fields (Work Notes, Comments) are append-only.
The 'previous' object in Business Rules is only available on update operations, not insert.

Self-Service Migration

Community-created study aids. Not official ServiceNow exam content.