Free Practice Questions for ServiceNow CSA Exam

In ServiceNow,Access Control Rules (ACLs)determine who cancreate, read, write, delete, or executerecords within a table. Each ACL rule evaluates three main permission requirements,all of which must be truefor the rule to apply. These requirements are:

TheConditions fieldin an ACL specifies predefined logic that must be met for the rule to apply.

Example: An ACL might specify that a record is only accessible if theStatefield is set to "Open".

Conditions areevaluated firstbefore checking roles or scripts.

ACLs can berestricted to users with specific roles.

If a user does not have the required role(s), the ACL denies access.

Example: Only users with the"itil"role can edit incidents.

If the ACL does not specify any role, all users may be eligible based on conditions and script evaluations.

ACL scripts provideadvanced conditional logicusingserver-side JavaScript.

Scripts allow complex rule evaluation, such as checking whether a user is the record’s creator.

Example: A script could restrict access to records wherecurrent.requested_for == gs.getUserID()(only allow users to see their own requests).

If a script is present in an ACL, it must returntruefor access to be granted.

Access control rules are only granted when all three evaluations return true.

Conditions act asfilters.

Roles definepermissions based on user roles.

Scripts allowadvanced access logic.

1. Conditions (A - Correct Answer)2. Roles (C - Correct Answer)3. Script (D - Correct Answer)Why "A. Conditions," "C. Roles," and "D. Script" are the Correct Answers?

B. Table – Incorrect

Access control appliesto specific tables, but defining a table itself is not one of the permission checks.

E. Table." – Incorrect

This is anincorrectly formatted optionand does not relate to access control evaluation.

F. Table.none – Incorrect

"Table.none" is not an evaluation factor in ACLs. Access control applies totable-level, field-level, and record-level, but "table.none" is not an access requirement.

Explanation of Incorrect Options:

ServiceNow Docs: Access Control Rules (ACLs) Overview

ServiceNow CSA Study Guide – Security and Access Control

ServiceNow Product Documentation: Evaluating ACLs and Permissions

References from Certified System Administrator (CSA) Documentation:

To create anew email notificationin ServiceNow for users affected bynetwork outages, you must navigate to theNotifications moduleunderSystem Notification.

Navigate to:System Notification > Email > Notifications

ClickNewto create a new notification.

Configure the notification with the following:

Name:"Network Outage Notification"

Table:Select the relevant table (e.g.,Incident, Task)

When to Send:Define the trigger (e.g., when anIncident is created or updatedwith a Network Outage category).

Who Will Receive:Specifyaffected users.

Message Content:Create the email subject and body usingdynamic fields(such as affected user’s site).

Save and test the notification.

Notifications are managed in System Notification.

TheNotifications moduleallows you to configureemail triggers, recipients, conditions, and templatesfor system alerts.

B. Administration > Notification Overview:No such module in ServiceNow.

C. System Properties > Email > Settings:This configuresemail server settings, not individual notifications.

D. User Preferences > Email > Notifications:User preferences onlyenable or disablepersonal notifications, not create new ones.

E. Click Gear > Notifications > New:The gear icondoes not provide accessto email notifications.

Creating and Managing Email Notifications in ServiceNow:ServiceNow Docs

ServiceNow Notification Configuration Guide

Steps to Create a New Notification:Why is the Correct Answer "System Notification > Email > Notifications"?Why Not the Other Options?References from the Certified System Administrator (CSA) Official Documentation:By usingSystem Notification > Email > Notifications, administrators can create a targetedemail notificationto alert users ofnetwork outageseffectively.

If a user reports that theycannot see certain modulesin theApplication Navigator, the best way to troubleshoot is toimpersonate the user. Impersonation allows an administrator to see exactly what the user seeswithout needing their password.

Click on your profile icon (top-right corner).

SelectImpersonate User.

Search for and select theuser’s name.

The instance will reload, and you will see the UI as the user experiences it.

Navigate to theApplication Navigatorand check for missing modules.

Once done, clickStop Impersonation.

Ensures security(no need to reset or look up passwords).

Speeds up troubleshootingby allowing admins to replicate user issues.

Helps verify role-based access permissions.

Steps to Impersonate a User in ServiceNow:Why is Impersonation Useful?

Incorrect Answer Choices Explanation:A. Look up their password, so you can login with their account

This is asecurity violationand not an acceptable practice.

B. Initiate a Connect Chat session

Chatting with the user can help gather information, but it does not allow you to see what they see.

C. Install the Bomgar plug-in

Bomgaris a remote support tool, but impersonation is thebuilt-inand recommended method for troubleshooting in ServiceNow.

E. Launch a NowChat window

NowChat is used forcustomer support and collaboration, not for verifying module visibility.

Impersonate Users in ServiceNow

User Roles and Permissions

Official CSA Documentation Reference:

Update Setsin ServiceNow are used tocapture configuration changesso they can be moved between instances (e.g., from development to production). However,new records, new groups, and modified Configuration Items (CIs) are not included in Update Setsby default because they are considereddata, not configuration changes.

New Records→ Data records (e.g., Incidents, Users, Groups) are not part of an Update Set.

New Groups→ Groups are data elements (stored in thesys_user_grouptable) and arenot includedin Update Sets.

Modified Configuration Items (CIs)→ CIs belong to theConfiguration Management Database (CMDB), and changes to CIs are considereddata, not configuration changes.

UI Policies, Business Rules, Client Scripts, Workflows, Forms, and Tables

Changes to system configuration (not transactional data)

Breakdown of Each Element:What is Captured in an Update Set?

Why "B. They are not captured in an Update Set" is Correct:New records, groups, and modified CIs are considered data, and Update Sets do not track data by default.

A. They are included in an Update Set→Incorrect because Update Setsdo not track data recordslike CIs, groups, or user records.

C. They are customizations→Customizations refer toconfiguration changes, but records and CIs are considereddata, not customizations.

D. They do not have anything in common→All three (new records, groups, and CIs) aredataelements, meaning they share the characteristic ofnot being included in Update Sets.

Why Other Options Are Incorrect:

ServiceNow Documentation:Update Sets and What They Capture

CSA Exam Guide:Coverswhat is and is not included in Update Sets.

Reference from CSA Documentation:Thus, the correct answer is:

B. They are not captured in an Update Set

In ServiceNow,UI Actionsare used toadd buttons, links, and context menu itemson forms and lists to enhance user interaction.

UI Actions provide interactive elementssuch asbuttons, links, and context menu optionson forms and lists.

UI Actions allow execution ofserver-side and client-side scripts, includingGlideAjax and GlideRecordcalls.

They can be configured to execute underspecific conditions, such asuser roles, field values, or record states.

Examples of UI Actions include:

Submit, Update, and Deletebuttons on forms.

Custom action buttonssuch as "Escalate Incident" or "Resolve Task".

List context menu itemssuch as "Approve" or "Reject" for workflow items.

A. UI Policies:Used fordynamically showing, hiding, or making fields mandatory, butnot for adding buttons or links.

B. UI Settings:No such module in ServiceNow.

D. UI Config:Not a valid option; UI Actions, not "UI Config," control buttons and menus.

UI Actions Overview:ServiceNow Docs

Configuring UI Actions for Forms and Lists

Why is the Correct Answer "UI Actions"?Why Not the Other Options?References from the Certified System Administrator (CSA) Official Documentation:By usingUI Actions, developers canenhance the user experienceby providing interactivebuttons and menu optionsin ServiceNow.

In ServiceNow,UI PoliciesandData Policiesserve different but complementary purposes in controlling data behavior and enforcing business rules.

UI Policies are client-side rules that dynamically change form behavior based on user interactions.

They enable administrators to show/hide fields, make fields read-only, or set fields as mandatory dynamically.

UI Policies only apply when a user is interacting with a form through the ServiceNow UI (Client-side execution).

These policies do not enforce rules if data is added via an Import Set, API, or background script.

Data Policies enforce rulesserver-side, meaning they applyregardless of how data is entered(e.g., form submission, Import Sets, SOAP/REST API calls, or Business Rules).

They ensure data integrity by making fields mandatory, setting read-only properties, or applying other restrictions.

Data Policies can apply conditions globally, unlike UI Policies, which work only in the UI context.

UI Policies:Data Policies:Key Differences:Feature

UI Policy

Data Policy

Scope

Affects only forms (Client-side)

Affects all data entry points (Server-side)

Execution Location

Runs in the browser

Runs on the server

Triggers

User interaction on the form

Any data entry method (Forms, Import Sets, API, etc.)

Enforcement

Works only when using the UI

Applies even when data is added outside the UI

"Data Policies run regardless of how data is entered into ServiceNow"→Correct, because Data Policies enforce rules whether the data is entered via UI, API, Import Sets, or other means.

"UI Policies are used for form interactions"→Correct, because UI Policies apply only to client-side form behavior.

Option A: Incorrect. UI Policies are not set by web services; they are applied when interacting with forms.

Option B: Incorrect. While some Data Policies can be converted into UI Policies, the reverse is not true in all cases.

Option D: Incorrect. UI Policies and Data Policies operate independently, and Data Policies do not depend on UI Policies running first.

Why Option C is Correct:Why Other Options are Incorrect:

InServiceNow, anUpdate Setis a mechanism used tocapture customizationsmade in an instance andmove them to another instance(e.g., from development to production). However, certain elements arenot included in an Update Set by default.

Homepages (A) –Correct

Homepages are stored asuser-specific or global content, and they are not included in update sets by default.

To migrate them, you need tomanually export/importthem or use thesys_portal_page_settable.

Data (B) –Correct

Update Setsdo not include actual data, such as incident records, user records, or CMDB data.

Onlyconfiguration changes(like fields, forms, and workflows) are captured.

Data migration must be handled separately usingData Export or Integration methods.

Published Workflows (C) –Correct

Once a workflow ispublished, it is stored as a runtime instance and not automatically included in an Update Set.

To capture it, you mustmanually updatethe workflow before moving it in an Update Set.

Report Definitions (H) –Correct

Reports and their configurations are not automatically included in Update Sets.

You mustmanually include themby marking them as "Captured in Update Set."

D. Business Rules(Captured in Update Sets)

E. Schedules(Captured in Update Sets)

F. Database changes(Captured in Update Sets)

G. Related Lists(Captured in Update Sets)

I. Scheduled Jobs(Captured in Update Sets)

J. Client Scripts(Captured in Update Sets)

K. Views(Captured in Update Sets)

ServiceNow Update Sets Overview:https://docs.servicenow.com/en-US/bundle/utah-application-development/page/build/system-update-sets/concept/c_UpdateSets.html

ServiceNow Update Set Best Practices:https://docs.servicenow.com/en-US/bundle/utah-application-development/page/build/system-update-sets/concept/update-set-best-practices.html

Items NOT Included in Update Sets (By Default):Items That ARE Included in Update Sets (By Default):Official References from Certified System Administrator (CSA) Documentation:

In ServiceNow,Pluginsare used to activate additional applications or functionalities within a development instance. A plugin is apackage of features, configurations, and applicationsthat extends the platform’s capabilities.

Plugins introduce new capabilities– They allow you to enable or disable specific functionalities, such as ITSM, CMDB, HR Service Delivery, and Performance Analytics.

Plugins can be installed or activatedfrom theSystem Definition > Pluginsmodule.

Some plugins are available by default, while others require activation by an administrator or ServiceNow support.

Plugins can depend on other plugins, meaning some functionality requires multiple plugins to be activated.

A. App Package:No such term in ServiceNow. Applications in ServiceNow are delivered viaPlugins or App Engine Studio, not "App Package."

B. Updated Pack:Not a ServiceNow term. ServiceNow updates are delivered aspatches or application updates, not an "Updated Pack."

C. Patch:Apatchis a minor update or bug fix released by ServiceNow but does not introduce new functionality.

E. App Updated Set:Update Setstrack changes in a development instance but are used formigrating configurationsbetween instances, not for activating functionality.

ServiceNow Plugins Documentation:ServiceNow Docs

Managing and Activating Plugins in ServiceNow(Admin Guide)

Why is the Correct Answer "Plugin"?Why Not the Other Options?References from the Certified System Administrator (CSA) Official Documentation:

AnAccess Control rule (ACL)in ServiceNow defineswho can access dataandwhat actions they can performon that data. Each ACL consists of three primary components:

Object being secured– The specific table, field, or record that the rule applies to.

Operation– The type of action that is being secured (e.g., Read, Write, Create, Delete).

Permissions required– The conditions, roles, or scripts that determine whether access is granted.

ACLs evaluatewhether a user has permissionto access a specific table, field, or action.

Thesecurity rules are processed from most specific to least specific(e.g., field-level > table-level).

Permissions can be granted based onroles, conditions, or custom scriptsusing GlideSystem (gs).

A. Groups, Conditional Expressions, and Workflows(Incorrect)

ACLs do not manageworkflowsor directly control group assignments.

B. Table Schema, CRUD, and User Authentication(Incorrect)

CRUD (Create, Read, Update, Delete) permissions are controlled by ACLs, butUser Authenticationis managed separately through login policies (LDAP, SSO, etc.).

D. security_admin(Incorrect)

security_adminis aspecial elevated rolerequired to modify security settings, but it is not what an ACL specifies.

Access Control Rules Overview:https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/administer/security/concept/access-control-rules.html

Configuring ACLs in ServiceNow:https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/administer/security/task/t_CreateOrModifyAnAccessControl.html

How ACLs Work in ServiceNow:Explanation of Incorrect Options:Official References from Certified System Administrator (CSA) Documentation:

Afilter conditionin ServiceNow consists of three essential components that define how data is filtered in lists, reports, and queries. These components determine which records meet specific criteria.

Column (D)– Represents thefieldin the table that is being filtered (e.g., "Priority" in theincidenttable).

Operator (A)– Defines the comparison method, such asis, contains, starts with, greater than, etc.

Value (C)– Specifies thecriteriaused for filtering (e.g., "High" for Priority).

Components of a Filter Condition:Example of a Filter Condition in an Incident Table:PriorityisHigh

Column:Priority

Operator:is

Value:High

B. Match Criteria→ Not a defined component; filtering is based on column, operator, and value.

E. Field→ While "Field" is a general term,ServiceNow officially uses "Column"in filter conditions.