Encryption support Use encryption contexts to allow or deny access to sensitive data based on user role. Encryption and decryption occur on the server, not in the user interface. Users with access to the encryption context can see data encrypted with that particular encryption context. The encryption process requires an administrator to grant an encryption context to users by granting the user an associated role.Note: Impersonation does not change the encryption contexts available to a user. Even while impersonating, you have only the encryption contexts available to you originally. After encryption: Encrypted text fields and attachments are no longer accessible by database tools and cannot be indexed. Encrypted text fields cannot be added to a filter. Encrypted text fields cannot be used to sort lists. You can encrypt all String fields, including fields provided by default in the system and new fields that you create in the dictionary. Access to encrypted data A user's encryption context determines access to encrypted data. Security_admin users can grant an encryption context to a user by granting the user an associated role. To monitor the assignment of roles, the customer or ServiceNow professional services can set up security measures. For example, an email can be sent to an appointed encryption manager whenever a role associated with an encryption context is granted to a user. Note: Impersonation does not change the encryption context available to a user. Even while impersonating, you have only the encryption contexts available to you originally. Access level Data visibility User with no encryption contexts The form hides the encrypted field. User with one encryption context The user automatically uses their encryption context with encrypted text fields. If there is no data in the field: The form displays the encrypted field (assuming UI policy does not prevent it). Users with any encryption context can see empty encrypted fields. Entering data in the field causes the encrypted fields to use the currently selected encryption context to encrypt the data. If there is data in the field: If the user has access to the matching encryption context, the form displays the encrypted field. User with two or more encryption contexts The user can select an encryption context from the selector in the welcome bar. If there is no data in the field: The form displays the encrypted field (assuming UI policy does not prevent it). Users with any encryption context can see empty encrypted fields. Entering data in the field causes the encrypted fields to use the currently selected encryption context to encrypt the data. If there is data in the field: If the user has access to the matching encryption context, the form displays the encrypted field. The encrypted field always uses the original encryption context to encrypt changes to the field. This prevents users with multiple encryption contexts from changing the encryption context of a field. Note: A lock icon appears next to the field label to indicate an encrypted field. If a user has access to the encryption context, pointing to the icon displays the name of the context used to encrypt the field. Exporting data from encrypted text fields When exporting encrypted text fields in a list or form to a file format, only fields encrypted by an encryption context available to the current user will display in the exported document. By default, exporting encrypted data from a list view is disabled. To enable exports of encrypted data from a list view, add the glide.encryption.export_encrypted_data.allowed system property and set the value to true. Activate the Encryption Support pluginYou can activate the Encryption Support plugin (com.glide.encryption) if you have the admin role. Set up encryption contextsAdministrators can create an encryption context that uses an encryption key.Use attachment encryptionYou can encrypt attachments that are already attached to records.Encrypt a password in system propertiesThe Encrypt SysProperty Password business rule automatically encrypts the value of any system property with the type password or password2.Encryption scripting examplesThere are several example scripts for you to use with encryption.Demonstration pluginThe instance provides a demonstration plugin called Encryption Support - Single Context Task Encryption Demo (com.snc.task_encryption.demo).