ServiceNow Rules List

Quality Clouds checks the following ServiceNow rules:

For logical groupings, see all rules related to a configuration element or impact area. 

• “Allow Javascript tags in Embedded HTML” property should be disabled
• “Check UI Action Conditions check before Execution” should be enabled
• ACLs should not be entirely empty or contain the “Public” role.
• ACLs using GlideRecord queries
• Actions should not be client callable
• AJAXGlideRecord ACL Checking should be enabled
• Angular Providers with hard-coded sys_ids
• Anti-CSRF Token setting should be enabled
• Auditing for Update Sets should be enabled
• Avoid Creating cross-table Business Rule recursive loops
• Avoid creating unnecessary tables in scoped applications which can impact your licensing cost
• Avoid Global UI Scripts
• Avoid Script Includes with duplicate names
• Avoid updating the source table on transform maps
• Avoid updating the source table on transform scripts
• Avoid workflows with too many activities
• Avoid workflows with too many timer activities
• Basic Auth SOAP Requests setting should be enabled
• Business rules defined on the Global table
• Business Rules using eval function
• Business Rules using GlideRecord and getRowCount
• Business Rules using the SOAP getResponse method
• Business rules with debugging statements
• Business rules with hard-coded sys_ids
• Business rules without function
• By configuration element
• By impact area
• Catalog Client Scripts should not use unsupported scripting APIs
• Catalog Client Scripts with empty script field
• Catalog Client Scripts with hard-coded sys_ids
• Catalog Client Scripts without function
• Catalog Client Scripts with the console.log debugging method
• Catalog items without description
• Catalog items without short description
• Catalog items with short description equal to name
• Catalog Policies with hard-coded sys_ids – scriptTrue
• Catalog UI Policies using GlideRecord – scriptFalse
• Catalog UI Policies using GlideRecord – scriptTrue
• Catalog UI Policies with hard-coded sys_ids – scriptFalse
• Catalog UI Policy Action without field effects
• Catalog with low usage of META tags
• Catalog with no usage of META tags
• Catalog with very low usage of META tags
• Child group does not contain all parent roles
• Client Generated Scripts Sandbox should be enabled
• Client Scripts defined on the Global table
• Client Scripts should not use unsupported scripting APIs
• Client Scripts with empty script field
• Client Scripts with hard-coded sys_ids
• Client Scripts without function
• Client Scripts with the console.log debugging method
• Contextual Security Plugin disabled
• Cookies – HTTP Only should be enabled
• Creating custom tables in the global scope should be avoided
• CSV Request Authorization should be enabled
• Debugging properties enabled in production environments
• Debug System Properties Enabled
• Dictionary entries present for a table that does not exist
• Document Object Model (DOM) manipulation in Catalog Client Scripts
• Document Object Model (DOM) manipulation in Catalog UI Policies – scriptFalse
• Document Object Model (DOM) manipulation in Catalog UI Policies – scriptTrue
• Document Object Model (DOM) manipulation in Client Scripts
• Document Object Model (DOM) manipulation in UI Actions
• Document Object Model (DOM) manipulation in UI Policies – scriptFalse
• Document Object Model (DOM) manipulation in UI Policies – scriptTrue
• Document Object Model (DOM) manipulation in UI Scripts
• Dot walking to sys_id
• Dot walking to sys_id – Catalog UI Policy scriptFalse
• Dot walking to sys_id – Catalog UI Policy scriptTrue
• Dot walking to sys_id – Portal Widget clientScript
• Dot walking to sys_id – UI Policy scriptFalse
• Dot walking to sys_id – UI Policy scriptTrue
• Empty role assigned to a user.
• Empty roles assigned to a group.
• Enable AJAXEvaluate should be disabled
• Escape HTML should be enabled
• Escape Jelly should be enabled
• Escape XML should be enabled
• Event Script Action using GlideRecord and getRowCount
• Event Script Action with hard-coded sys_ids
• Fields used to coalesce records in a Table Transform Map should be indexed
• Flows should not be client callable
• Flows should not run using the admin role
• Forms with duplicate fields
• Forms with too many sections
• GlideRecord and GlideRecordSecure should not be used in Catalog UI Policies. Script false
• GlideRecord and GlideRecordSecure should not be used in Catalog UI Policies. Script true
• GlideRecord and GlideRecordSecure should not be used in client side scripts
• GlideRecord and GlideRecordSecure should not be used in Service Portal Widget-Client Script
• GlideRecord and GlideRecordSecure should not be used in UI Policies. Script false
• GlideRecord and GlideRecordSecure should not be used in UI Policies. Script true
• GlideRecord API usage in Scripted REST API Resource
• GlideRecord usage on Catalog Client Scripts
• GlideRecord usage on Client Scripts
• GlideRecord usage on Portal Widget Client Scripts
• GlideRecord usage on UI Scripts
• Groups should not have an inactive manager
• Groups should not have inactive members
• HHRR system properties outside the “Human Resource Scoped” category
• High Security Settings plugin disabled
• HTML Sanitizer property should be enabled
• Inbound Email Actions using GlideRecord and getRowCount
• Inbound Email Actions with hard-coded sys_ids
• Integration accounts should not use the Admin role
• Java Package Collection mode and Collection mode override properties should be disabled
• JDBC Data Sources with “Use last run datetime” option unchecked
• Maximum number of actions per flow and subflow.
• Modified Out of the Box Element
• Modules pointing to big tables without filter
• Multiple choice catalog variables with too many options
• Notification Email Scripts with hard-coded sys_ids
• Old UI enabled or being used
• onBefore Business Rule should only update the target table
• onBefore Transform Scripts should only update the target table
• Portal pages should not be made public
• Portal widgets should not be made public
• Portal Widgets with hard-coded sys_ids
• Potential recursive Business Rules
• Potential Recursive Business Rules – current.update()
• Reports should not be made public
• REST API Resource modifying data without Authentication check
• REST API Resource modifying data without Authentication check – No Author
• Roles assigned to an invalid user.
• Roles without any user
• Scheduled imports should not run at the same time
• Scheduled Jobs run by deleted users
• Scheduled Jobs should not be run by inactive/locked out users
• Scheduled Jobs should specified a value for “Run as” field
• Scheduled Jobs without a dedicated integration user
• Scripted REST API Resource with hard-coded sys_ids
• Script Includes using GlideRecord and getRowCount
• Script Includes with hard-coded sys_ids
• Script Include with debugging statements
• Script Request Authorization should be enabled
• Scripts directly call to Java packages
• Scripts should not use gs.sql
• Server UI Actions using GlideRecord and getRowCount
• SLA logging level should be set to “notice”
• SOAP Request Strict Security should be enabled
• SSLv2/SSLv3 should be disabled
• Stage sets with duplicates entries
• Synchronous AJAX call in Catalog Client Scripts
• Synchronous AJAX call in Catalog UI Policies – scriptFalse
• Synchronous AJAX call in Catalog UI Policies – scriptTrue
• Synchronous AJAX call in Client Scripts
• Synchronous AJAX call in UI Actions
• Synchronous AJAX call in UI Policies – scriptFalse
• Synchronous AJAX call in UI Policies – scriptTrue
• Synchronous AJAX call in UI Scripts
• Synchronous Business Rules making SOAP or REST calls
• The “glide.email.read.active” System Property is set to “false”.
• The “glide.email.smtp.active” System Property is set to “false”.
• The “glide.image_provider.security_enabled” System Property is set to “false”.
• The “glide.login.autocomplete” System Property is set to true
• The “glide.uxf.js_server.consolidate” System Property is set to “false”.
• The “Log/trace level of TaskSLAController” System Property not set to “notice”
• The “Security Manager” System Property is set to “Allow Access”
• The assessment_take2 UI page should be public
• The Change Request table should not be extended
• The default system User Preference “Rows per Page” set above 100
• The demo_data_running_trigger business rule should be disabled
• The glide.businessrule.callstack System Property is set to true
• The glide.db.clone.allow_clone_target System Property is set to true
• The glide.xmlutil.max_entity_expansion system property value is not set to 3000.
• The Out of the Box admin account should not be inactive or locked out.
• The sn_hr_core.impersonateCheck System Property is false
• The SOAP Timeout value is over 5 minutes
• The System Property “Auto Complete Search” is set to “Contains”
• The System Property “Auto Complete Wait Time” exceeds 750 ms
• The System Property “Go To Search” is set to “Contains”
• The System Property “Items per page” includes options over 100
• The System Property “Update on Iterate” is enabled
• Too many delete actions on an Update Set
• Too many fields in a Form Section
• Transform Maps with “Run business rules” option enabled
• Transform maps with boolean fields in their import set table
• Transform maps with hard-coded sys_ids
• Transform scripts with hard-coded sys_ids
• UI Actions using GlideRecord
• UI Actions with hard-coded sys_ids
• UI Policies using GlideRecord – scriptFalse
• UI Policies using GlideRecord – scriptTrue
• UI Policies with hard-coded sys_ids – scriptFalse
• UI Policies with hard-coded sys_ids – scriptTrue
• UI Policy Action without field effects
• UI Scripts including Open Source libraries
• UI Scripts with empty script field
• UI Scripts with hard-coded sys_ids
• UI Scripts without function
• UI Scripts with the console.log debugging method
• Unlogged API call error condition
• Unused Inactivity Monitors
• Update Sets should contain a description
• Update Sets should not include images without review.
• Update Sets should not include Knowledge Base Articles without review.
• Usage of current.update() in Script Workflow Activities
• Usage of g_form.setValue on a reference field without displayValue
• Usage of g_form.setValue on a reference field without displayValue – Catalog UI Policy scriptFalse
• Usage of g_form.setValue on a reference field without displayValue – Catalog UI Policy scriptTrue
• Usage of g_form.setValue on a reference field without displayValue – Portal Widget clientScript
• Usage of g_form.setValue on a reference field without displayValue – UI Policy scriptFalse
• Usage of g_form.setValue on a reference field without displayValue – UI Policy scriptTrue
• Usage of getMessage() without preloading message key.
• Usage of getMessage function without a second parameter
• Usage of getMessage function without a second parameter – Catalog UI Policy scriptFalse
• Usage of getMessage function without a second parameter – Catalog UI Policy scriptTrue
• Usage of getMessage function without a second parameter – Portal Widget clientScript
• Usage of getMessage function without a second parameter – UI Policy scriptFalse
• Usage of getMessage function without a second parameter – UI Policy scriptTrue
• Usage of gs.cacheFlush() on Scripts
• Usage of gs.sleep() on Workflow Activities
• Usage of window objects instead of AngularJS services
• Workflows should not use stages that are not defined in a Stage Set
• Workflows with Notification Activities