ServiceNow CSA - ServiceNow Certified System Administrator

In ServiceNow,Access Control Rules (ACLs)determine who cancreate, read, write, delete, or executerecords within a table. Each ACL rule evaluates three main permission requirements,all of which must be truefor the rule to apply. These requirements are:

TheConditions fieldin an ACL specifies predefined logic that must be met for the rule to apply.

Example: An ACL might specify that a record is only accessible if theStatefield is set to "Open".

Conditions areevaluated firstbefore checking roles or scripts.

ACLs can berestricted to users with specific roles.

If a user does not have the required role(s), the ACL denies access.

Example: Only users with the"itil"role can edit incidents.

If the ACL does not specify any role, all users may be eligible based on conditions and script evaluations.

ACL scripts provideadvanced conditional logicusingserver-side JavaScript.

Scripts allow complex rule evaluation, such as checking whether a user is the record’s creator.

Example: A script could restrict access to records wherecurrent.requested_for == gs.getUserID()(only allow users to see their own requests).

If a script is present in an ACL, it must returntruefor access to be granted.

Access control rules are only granted when all three evaluations return true.

Conditions act asfilters.

Roles definepermissions based on user roles.

Scripts allowadvanced access logic.

1. Conditions (A - Correct Answer)2. Roles (C - Correct Answer)3. Script (D - Correct Answer)Why "A. Conditions," "C. Roles," and "D. Script" are the Correct Answers?

B. Table – Incorrect

Access control appliesto specific tables, but defining a table itself is not one of the permission checks.

E. Table." – Incorrect

This is anincorrectly formatted optionand does not relate to access control evaluation.

F. Table.none – Incorrect

"Table.none" is not an evaluation factor in ACLs. Access control applies totable-level, field-level, and record-level, but "table.none" is not an access requirement.

Explanation of Incorrect Options:

ServiceNow Docs: Access Control Rules (ACLs) Overview

ServiceNow CSA Study Guide – Security and Access Control

ServiceNow Product Documentation: Evaluating ACLs and Permissions

References from Certified System Administrator (CSA) Documentation:

In ServiceNow,Data Policiesare rules thatenforce data consistencyby ensuring that specific fields meet certain conditionsbefore being saved to the database. They apply toall data operations, including form submissions, web services, and data imports.

Work at the server-side level, ensuring data integrity before it is stored.

Canmake fields mandatoryorread-onlyacross different interfaces (e.g., forms, API calls, imports).

UnlikeUI Policies, which apply only toforms, Data Policies apply to alldata transactions, including integrations and imports.

Help maintaindata quality and consistencyacross the system.

Making a Field Mandatory:

Ensure that the"Short Description"field is always filled before saving anIncident.

Enforcing a Read-Only Field:

Prevent users from modifying the"Created Date"field.

Standardizing Data on Import:

When importing employee data, ensure that the"Department"field is always set and not left blank.

Data Policies ensuredata accuracy and integritybefore it is stored.

They apply toforms, web services, import sets, and background processes.

They help organizationsmaintain standardized and structured data.

A. Data Policies enforce security – Incorrect

Security is enforced usingAccess Control Lists (ACLs), not Data Policies.

B. Data Policies standardize data in Update Sets – Incorrect

Update Sets trackconfiguration changes, not data validation.

D. Data Policies apply to lists to standard data – Incorrect

Data Policies do not specifically target lists; they enforce rules at thedatabase level.

ServiceNow Docs: Data Policies Overview

ServiceNow CSA Study Guide – Data Policies vs. UI Policies

ServiceNow Product Documentation: Enforcing Data Consistency with Data Policies

Key Features of Data Policies:Example Use Cases of Data Policies:Why "C. Data Policies enforce data consistency" is the Correct Answer?Explanation of Incorrect Options:References from Certified System Administrator (CSA) Documentation:

In ServiceNow,UI PoliciesandData Policiesserve different but complementary purposes in controlling data behavior and enforcing business rules.

UI Policies are client-side rules that dynamically change form behavior based on user interactions.

They enable administrators to show/hide fields, make fields read-only, or set fields as mandatory dynamically.

UI Policies only apply when a user is interacting with a form through the ServiceNow UI (Client-side execution).

These policies do not enforce rules if data is added via an Import Set, API, or background script.

Data Policies enforce rulesserver-side, meaning they applyregardless of how data is entered(e.g., form submission, Import Sets, SOAP/REST API calls, or Business Rules).

They ensure data integrity by making fields mandatory, setting read-only properties, or applying other restrictions.

Data Policies can apply conditions globally, unlike UI Policies, which work only in the UI context.

UI Policies:Data Policies:Key Differences:Feature

UI Policy

Data Policy

Scope

Affects only forms (Client-side)

Affects all data entry points (Server-side)

Execution Location

Runs in the browser

Runs on the server

Triggers

User interaction on the form

Any data entry method (Forms, Import Sets, API, etc.)

Enforcement

Works only when using the UI

Applies even when data is added outside the UI

"Data Policies run regardless of how data is entered into ServiceNow"→Correct, because Data Policies enforce rules whether the data is entered via UI, API, Import Sets, or other means.

"UI Policies are used for form interactions"→Correct, because UI Policies apply only to client-side form behavior.

Option A: Incorrect. UI Policies are not set by web services; they are applied when interacting with forms.

Option B: Incorrect. While some Data Policies can be converted into UI Policies, the reverse is not true in all cases.

Option D: Incorrect. UI Policies and Data Policies operate independently, and Data Policies do not depend on UI Policies running first.

Why Option C is Correct:Why Other Options are Incorrect:

InServiceNow Flow Designer, users can accessdetailed informationabout actions added to a flow via theHelp Panel. The Help Panel providescontextual guidanceand documentation about the available actions, conditions, and steps within the flow.

Displays Information About Actions:

When an action is selected in Flow Designer, theHelp Panelprovidesdescriptions and usage details.

Helps users understandwhat the action doesand how to configure it.

Accessing the Help Panel:

Inside Flow Designer, users can click theHelp icon ( ? )or expand the Help Panel from the side.

This providesinline documentationfor added actions.

Guidance for New Users:

The panel providesServiceNow documentation links and tipsto help users build flows effectively.

Key Features of the Help Panel:Why Option C (Help Panel) is Correct?TheHelp Panelprovides built-in documentation and details about actions added to the flow.

Why Other Options Are Incorrect?A. Virtual Agent Help→ Incorrect

Virtual Agent Help is related tochatbot and conversational assistance, not Flow Designer.

B. Local Action Help→ Incorrect

No such feature exists in ServiceNow; action details are found in theHelp Panel.

D. Flow Assistant→ Incorrect

Flow Assistanthelps withbuilding expressions and selecting data pillsbut does not provide action documentation.

ServiceNow Docs – Flow Designer Help Panelhttps://docs.servicenow.com

ServiceNow Learning – Flow Designer and Automation Best Practices

ServiceNow Developer Portal – Flow Designer Action Configuration

References from Certified System Administrator (CSA) Documentation:

When testing acatalog itemwith amanager approval flow, it's important to verify that the request submission, approval process, and workflow execution are working as expected. Following best practices ensures that the process functions correctly before deployment.

Why These Options Are Correct?A. Make sure the latest flows are activated.

ServiceNowflow designerallows admins to create and manageapproval flowsfor catalog items.

Before testing, it's crucial to verify that the latest version of the flow isactivated, ensuring that the system runs the correct approval logic.

C. Impersonate the requester to ensure the form works.

Impersonationallows administrators totest the user experiencewithout logging in as different users manually.

This is essential to verify thatnon-admin userscan correctlysubmit the requestand trigger the approval process.

D. Make sure the requester's user record has a manager specified.

Themanager approval flowrelies on the requester'sManagerfield in their user record.

If this field is empty, the approval requestwill not be sent to the correct manager, causing the workflow to fail.

Why the Other Options Are Incorrect?B. Use the instance Incognito setting to quickly toggle between requester and approver.

There isno "Incognito setting"in ServiceNow to toggle users.

Thecorrect methodis using theimpersonatefeature.

E. Create and select your Testing Update Set, before starting the test cases.

WhileUpdate Setstrack customizations, they arenot required for testinga catalog item’s approval workflow.

Update Sets are primarily used formigrating changesbetween instances (e.g., from Dev to Test).

F. Use your Admin account, so you can approve the items quickly.

Admin accountsoverride approval workflowsand do not provide an accurate test.

The correct method is toimpersonate the requester and approver roles separatelyto ensure the workflow works as expected.

ServiceNow Flow Designer - Approval Workflow Testing Best Practices

ServiceNow Impersonation Feature for User Testing

ServiceNow ITSM - Catalog Item Testing & Validation

References to Official Certified System Administrator (CSA) Documentation:

InServiceNow, aRecordrepresents all thedata saved within a particular form. Each record corresponds to a single entry in atableand contains multiplefieldsstoring different pieces of information.

ARecordis asingle instanceof data stored in a ServiceNowtable.

When a user fills out and submits aform, arecord is createdor updated in the respective table.

Each record has a uniqueSys ID(a 32-character identifier).

Example:

AnIncidentrecord contains fields such asNumber,Caller,Short Description, andPriority.

AChange Requestrecord contains fields likeChange Number,Requested By, andAssignment Group.

A. Fields

Fieldsare individualdata pointswithin a record.

Example: TheCallerandPriorityfields in anIncidentrecord.

B. Form

AFormis auser interfaceto enter and display data, but it does not store data itself.

It is just a way tointeract with records.

D. Lists

AListdisplaysmultiple recordsfrom a table, but each row in a list represents asingle record.

Lists are used for filtering, sorting, and searching records but do not represent a single data entry.

Key Concepts:Why Other Options Are Incorrect?

ServiceNow Data Model - Records and Tables

Understanding Records and Forms

Forms vs. Records vs. Fields

ServiceNow Forms and Records

References from ServiceNow CSA Documentation:Final Verification:Answer is 100% correct and aligned with official ServiceNow Certified System Administrator (CSA) documentation.

In ServiceNow, every table has a uniqueplatform name(also known as thedatabase nameorsys_id). The table that stores user records in ServiceNow is called"sys_user".

Table Name:sys_user

Purpose:Stores user records, including their roles, group memberships, and personal details.

Location in ServiceNow:You can access this table by navigating to:All → Users and Groups → Users

Key Fields in sys_user Table:

User ID (user_name)– Unique identifier for the user.

Name (name)– Full name of the user.

Email (email)– Email address of the user.

Roles (roles)– Defines user permissions in the system.

Active (active)– Indicates if the user is active in the system.

A. u_users– Incorrect. The prefixu_is typically used forcustom tablescreated by administrators. This is not a default system table.

B. sys_users– Incorrect. The correct name issys_user(singular), notsys_users. ServiceNow follows a singular naming convention for system tables.

C. x_users– Incorrect. The prefixx_is reserved forScoped Applicationscreated within an instance. The User table is a core system table, not a scoped one.

ServiceNow Product Documentation → User Administration → sys_user Table

ServiceNow Tables Reference → sys_user

ServiceNow CSA Study Guide → User and Data Administration

Understanding the sys_user Table:Explanation of Incorrect Answers:References from Certified System Administrator (CSA) Documentation:

InServiceNow Service Catalog, anOrder Guideis a feature that allows users toorder multiple, related catalog items in a single request, simplifying the ordering process.

Helps usersrequest multiple items togetherinstead of submitting separate requests.

Ensures that related items are grouped logically (e.g., when onboarding a new employee, an Order Guide can include a laptop, software licenses, and access to required applications).

Usesvariables and rulesto pre-fill certain values and guide users through the ordering process.

Reduces the number of individual requests and makes fulfillment more efficient.

Purpose of an Order Guide:

(A) Order Guides restrict the number of items in an order to only one item per request – Incorrect

This isnot truebecause Order Guides allow users to requestmultiple itemsat once.

Asingle request (REQ#) is generatedthat contains multiple Requested Items (RITMs).

(B) Order Guides provide a list of guidelines for Administrators on how to set up item variables – Incorrect

Order Guides are forusers, not just administrators.

Theydo not provide setup guidelines; instead, they simplify ordering for end-users.

(C) Order Guides provide the ability to order multiple, related items as one request – Correct

This is theprimary functionof an Order Guide.

Instead of placing separate orders for different catalog items, a user can add allrelateditems to asingle request.

Example:Employee Onboarding Order Guide

Laptop

Email account

VPN access

Software (e.g., Microsoft Office, Adobe Suite)

(D) Order Guides take the user directly to the checkout without prompting for information – Incorrect

Order Guidescan include user prompts(variables, conditions) before checkout.

Users may be asked for specific detailsbeforesubmitting the request (e.g., laptop specifications, software preferences).

Explanation of Each Option:

Use dynamic variables: Order Guides can ask questions that determine which items should be included in the request.

Improve user experience: Order Guides streamline ordering, ensuring users request all necessary items without forgetting anything.

Enhance fulfillment efficiency: Since multiple items are grouped in one request, IT and fulfillment teams can process them together, reducing delays.

Example Use Cases:

New Hire Onboarding(laptop, software, security badge, phone)

Office Setup Request(desk, chair, monitor, accessories)

Additional Notes & Best Practices:

ServiceNow Docs: Order Guides Overview

https://docs.servicenow.com

ServiceNow Community: How to Configure an Order Guide

https://community.servicenow.com

References from Certified System Administrator (CSA) Documentation:

In ServiceNow,Table Access Control (ACL) rulesdefine the permissions for accessing records within a table. When a user attempts to access a record, ServiceNow processesACL rules in a specific orderto determine if the user has the necessary permissions.

Specific Table Name ACLs

ServiceNowfirst checks ACL rulesthat are defined for the exact table being accessed.

If there are multiple ACL rules for the same table, ServiceNow evaluates themfrom most specific to least specific(i.e., field-level ACLs before table-level ACLs).

Parent Table Name ACLs(If applicable)

If the table inherits from another table (e.g.,Incident inherits from Task), ServiceNownext checks ACL ruleson theparent table.

This ensures that inherited rules are properly applied.

Wildcard ACLs (*)(Any table)

If no explicit ACL rule is found for the table or its parent, ServiceNow checkswildcard ACL rules (*), which apply toall tables.

Wildcard ACLs act as alast resortwhen no table-specific rules exist.

Order of Processing ACL Rules:

(A) any table name (wildcard), parent table name, table name – Incorrect

Wildcard rules (*) areprocessed last, not first.

(B) table name, parent table name, any table name (wildcard) – Correct

This follows the correctprocessing order:

First:ACLs for the specific table

Second:ACLs for the parent table (if applicable)

Third:Wildcard ACLs (*)

(C) parent table name, table name, any table name (wildcard) – Incorrect

Parent table ACLs arechecked aftertable-specific ACLs, not before.

(D) any table name (wildcard), table name, parent table name – Incorrect

Wildcard ACLs (*) arealways processed last, so this order is incorrect.

Explanation of Each Option:

Field-level ACLs(column-specific) take precedence overtable-level ACLs.

If multiple ACL rules apply,all must evaluate totruefor access to be granted.

Explicit Deny:If an ACL rule explicitlydenies access, the user is denied, even if another ACL grants access.

Always Test ACLs:Use the "Security Debugging" feature (/sys_security_acl_list.do) to verify how ACLs are applied.

Additional Notes & Best Practices:

ServiceNow Docs: How Access Control Rules Work

https://docs.servicenow.com

ServiceNow Community: Understanding ACL Processing Order

https://community.servicenow.com

References from Certified System Administrator (CSA) Documentation:

InServiceNow Flow Designer, aTriggeris used toinitiateaflow. Triggers define the conditions under which a flow starts and can be based on various system events, schedules, or user actions.

(A) A Trigger – Correct

Triggers are the starting point of a flowin Flow Designer.

A flow will not execute unless a trigger condition is met.

Types of triggers include:

Record-based triggers(e.g., when a record is created, updated, or deleted)

Scheduled triggers(e.g., run at a specific time or interval)

Application-specific triggers(e.g., Service Catalog request submission)

(B) Core Action – Incorrect

Core Actionsare predefined actions that execute tasks within a flow, such as:

Sending notifications

Updating records

Calling APIs

They aresteps within a flow,notwhat initiates it.

(C) A Spoke – Incorrect

A spokein Flow Designer is a collection of actions and subflows related to a specific application or integration (e.g., ServiceNow ITSM Spoke).

Spokescontain actionsbut donotinitiate flows.

(D) An Event – Incorrect

Eventsin ServiceNow trigger Business Rules, Notifications, and Script Actions, but they arenot directly used to initiate flowsin Flow Designer.

However, aflow can be triggered based on an event, but the event itself is not the trigger—the flow’s trigger is configured to listen for the event.

Explanation of Each Option:

Triggers should be well-definedto prevent unnecessary flow executions that might impact performance.

Use Scheduled Triggersfor time-based workflows (e.g., daily reports).

Record Triggersare commonly used for automation within ITSM processes.

Debugging Triggers: Use theFlow Execution Detailspage to troubleshoot trigger execution.

Additional Notes & Best Practices:

ServiceNow Docs: Flow Designer Triggers

https://docs.servicenow.com

ServiceNow Community: Best Practices for Flow Designer Triggers

https://community.servicenow.com

References from Certified System Administrator (CSA) Documentation: