GlideRecord vs GlideRecordSecure

#GlideRecord , #GlideRecordSecure , #Quebec

Brittany Navin

4 minute read

This is a guest post from one of ServiceNow’s internal software engineers, Brittany Navin. Brittany is currently working on App Engine Studio. In the past, Brittany has worked on Guided Application Creator, Studio, and Mobile Studio.

GlideRecord vs GlideRecordSecure

There’s a deep, dark secret lurking within the ServiceNow scripting library: GlideRecordSecure. GlideRecordSecure is like a not-so-evil twin to GlideRecord but with added functionality. One of the most common questions that I receive from my colleagues and ServiceNow Developers alike is “What’s the difference between GlideRecord and GlideRecordSecure?” In this blog post I’m going to take you down a exploratory journey to understand the differences between, how to use, and when to use the GlideRecord and GlideRecordSecure APIs to query data from your ServiceNow instance.

Preface

Before jumping into this post, it’s important to understand application and table/data access controls. There’s a great course about Securing Applications that will teach you all about this concept. Once you understand (or if you already know about) access controls within ServiceNow, read on!

GlideRecord

First, let’s jump go into a little background about GlideRecord. If you’re familiar with GlideRecord, you can skip this section. If you’re new to ServiceNow development, read on!

GlideRecord is a class used to interact with your ServiceNow instance’s database from inside of a script. This GlideRecord class provides many helpful API methods to retrieve, update, create or delete records stored in your ServiceNow instance. If you’ve ever:

… then you’ve probably created/modified/viewed a script that utilizes the GlideRecord API.

On the “server side” (like in a Business Rule), the GlideRecord API can only be ran from scripts within global or scoped applications. On the “client side” (like in a Client Script), the GlideRecord API can only be ran from scripts within global applications. Going off of that, there is one important caveat worth mentioning: you can utilize GlideRecord in a “client-side” script (ServiceNow won’t restrict you from doing that), but it generates a slow Ajax request in the browser. This request can take a long time and transfer a lot of data unnecessarily, so use it wisely and sparingly.

If you have no idea what global or scoped applications are, no sweat - there’s docs for that!

If you want ensure a user has proper access to the data you’re querying on using GlideRecord, you must manually perform all access checks in your scripts (using the canRead(), canWrite(), canDelete() and canCreate() functions).

GlideRecordSecure

If you’ve ever navigated to the GlideRecord API docs you’ve probably missed the one single sentence about GlideRecordSecure at the very top of the page: For information on a class that performs the same functions as GlideRecord and enforces ACLs,see Using GlideRecordSecure.

That’s just it! GlideRecordSecure is a close sibling of GlideRecord, except that GlideRecordSecure will automatically enforce ACLs, where as GlideRecord requires additional method calls to validate access. If you need to ensure that a user has read/write/delete access to data in a script, GlideRecordSecure should be your go-to!

To drive home the difference between the two ways of querying data using GlideRecord and GlideRecordSecure, check out the following examples. In both cases, I’m checking that the user has access to read a record in my “Cat Data” table before adding it to an array and returning the array in the function. If there is an access control present that disallows the user to read specific cat data records, it’s possible that the user won’t get back any cat data (or they will get back a restricted amount of data).

GlideRecord Query with Access Check

var catSysIds = getCatSysIds();

function getCatSysIds() {
    var cats = [];

    var catData = new GlideRecord("x_abc_britt_app.cat_data");
    catData.query();

    while (catData.next()) {
        if (!catData.canRead()) {
            continue;
        }
        cats.push(catData.getUniqueValue());
    }

    return cats;
}

GlideRecordSecure Query (Access Check Built In)

var catSysIds = getCatSysIds();

function getCatSysIds() {
    var cats = [];

    var catData = new GlideRecordSecure("x_abc_britt_app.cat_data");
    catData.query();

    while (catData.next()) {
        cats.push(catData.getUniqueValue());
    }

    return cats;
}

Using GlideRecordSecure to query data with built in access checks is as simple as that! With this class and associated API, you can have confidence that your data is, well, secure!

When utilizing this class and associated API within scripts, the same rules as GlideRecord apply. On the “server side” (like in a Business Rule), the GlideRecordSecure API can only be run from scripts within global or scoped applications. On the “client side” (like in a Client Script), the GlideRecord API can only be run from scripts within global applications.

For more information and examples, please see Using GlideRecordSecure.

TL;DR

To summarize, if you need to enforce ACLs when querying data in your ServiceNow scripts, use the GlideRecordSecure API. If you choose to (only if you must) execute a query in a script without respect of ACLs, use GlideRecord. If neither case applies or you are unsure, stick with using GlideRecordSecure.

I look forward to another post soon (hopefully next time about App Engine Studio’s Templates)!!

Comments