App Design
5%of exam
Security
20%of exam
RolesGroupsACLsApplication AccessDefault Deny
User Experience
10%of exam
MenusModulesFormsViewsUI Policy
Data
20%of exam
TablesDictionaryReferencesImport SetsTransform Maps
Automation
20%of exam
Business RulesFlow DesignerEventsScript IncludesGlideAjax
Managing Apps
25%of exam
Update SetsSource ControlApp RepositoryATFDebugging
Quick Facts
- Exam
- CAD
- Credential
- Application Developer
- Items
- 60
- Time
- 90 min
- Pass
- 70%
- Fee
- $300
- Delivery
- Pearson VUE
- Top domain
- Managing Apps 25%
Scoped Apps
- Scoped app
- Namespace isolation
- Global
- Shared legacy scope
- Scope prefix
- x_app namespace
- App file
- Deployable artifact
- AES
- Guided app builder
- Studio
- Developer workspace
- Task extension
- Inherits task behavior
- Requirement
- Capability choice
ACL Gates
R-C-S all pass
RoleConditionScriptTable+field
Module Role vs ACL
Module Role
- Shows navigation
- Hides menu
- Not data
ACL
- Enforces access
- Rows/fields
- Server gate
Menu is not data
Security Picker
- Same access group→Group role(Maintainable)
- Record access→Table ACL(Rows)
- Sensitive field→Field ACL(Column)
- Other scope reads→App Access(Scope)
- Client returns records→GlideRecordSecure(ACL-aware)
- Import still enforced→Data Policy(All interfaces)
Security Controls
- Role
- Permission bundle
- Group
- Role assignment hub
- Table ACL
- Record access
- Field ACL
- Column access
- Module role
- Navigation visibility
- App Access
- Cross-scope gate
- Privilege
- Explicit scope allow
- Default deny
- No grant blocks
Scope First
Scope gates before ACLs
App AccessCross-scopeACL
Table ACL vs Field ACL
Table ACL
- Record operation
- Read/write/delete
- Row layer
Field ACL
- Specific column
- Sensitive fields
- Column layer
Both may apply
Access Sequence
- Scope
- App boundary
- App Access
- Other-scope permission
- ACL match
- Object operation
- Role check
- User membership
- Condition
- Record filter
- Script
- Boolean gate
- Table + field
- Both must pass
- No ACL
- Access denied
UI Policy vs Client Script
UI Policy
- Declarative
- Field behavior
- Faster load
Client Script
- Custom logic
- Browser code
- Needs script
Configure before script
UI Control Picker
- Make field mandatory→UI Policy(Declarative)
- Need browser logic→Client Script(Client)
- Need trusted validation→Business Rule(Server)
- Client needs lookup→GlideAjax(Server call)
- Hide module→Module role(Navigation)
- Protect data→ACL(Security)
UX Surfaces
- App menu
- Top navigator
- Module
- Navigation link
- Form
- Record layout
- List
- Record grid
- View
- Layout variant
- Related list
- Linked records
- UI Policy
- Declarative form behavior
- Client Script
- Browser logic
Import Set vs Transform Map
Import Set
- Stages data
- Temporary table
- Raw rows
Transform Map
- Maps fields
- Creates records
- Coalesces matches
Stage then map
Data Model
- Table
- Record container
- Dictionary
- Field metadata
- Reference
- Record link
- Dot-walking
- Reference traversal
- Choice
- Controlled values
- M2M
- Join table
- DB view
- Joined reporting
- Data Policy
- Interface-wide rules
Import Workflow
- Import set
- Staging table
- Transform map
- Field mapping
- Coalesce
- Match existing record
- Insert
- Create target row
- Update
- Modify matched row
- Reject
- Skip bad row
- Source field
- Incoming column
- Target field
- Destination column
Client Server
Client asks; server answers
Client ScriptGlideAjaxScript Include
Flow vs Business Rule
Flow
- Process automation
- Readable steps
- Reusable actions
Business Rule
- Database trigger
- Immediate logic
- Server script
Process vs commit
Automation Picker
- Before save change→Before BR(Pre-commit)
- After save action→After BR(Committed)
- Readable workflow→Flow(Low-code)
- Reusable server logic→Script Include(Library)
- Decouple notification→Event(Queued)
- Scheduled cleanup→Scheduled job(Timed)
Automation Artifacts
- Business Rule
- Server record trigger
- Before BR
- Pre-commit logic
- After BR
- Post-commit logic
- Async BR
- Later server work
- Display BR
- Scratchpad preparation
- Flow
- Low-code process
- Subflow
- Reusable flow unit
- Action
- Reusable flow step
BR Timing
Before set; after react
BeforeAfterAsyncDisplay
GlideRecord vs Secure
GlideRecord
- Server query
- Script context
- Fast table API
GlideRecordSecure
- Honors ACLs
- User context
- Client-callable safer
Security-aware returns
Script Helpers
- Script Include
- Server library
- GlideAjax
- Client-server bridge
- GlideRecord
- Server table API
- GlideRecordSecure
- ACL-aware query
- Event
- Queued signal
- Notification
- Message rule
- Scheduled job
- Timed server task
- Script Action
- Event response
Update Set vs App Repo
Update Set
- Config changes
- Global fixes
- Operational bundle
App Repo
- Scoped apps
- Versioned installs
- Distribution path
Bundle vs product
Lifecycle Picker
- Move scoped app→App Repository(Distribute)
- Need peer review→Git(Diffs)
- Fast global fix→Update set(Config)
- Regression proof→ATF(Tests)
- Validate ACLs→Impersonation(User context)
- Find script issue→Debugger(Inspect)
Lifecycle Tools
- Update set
- Config bundle
- Git
- Change history
- Source control
- Review workflow
- App Repository
- Distribute scoped app
- App version
- Release marker
- Dependency
- Required app
- ATF
- Regression tests
- Instance Scan
- Quality findings
Testing + Debugging
- Test step
- Single ATF action
- Test suite
- Grouped tests
- Impersonation
- User-context test
- Form test
- UI validation
- Server test
- Script validation
- REST test
- Endpoint validation
- Debugger
- Script inspection
- Log
- Runtime evidence
Common Traps
Menu vs data
Module shows menu ≠ ACL grants data
Client vs security
Client scripts expose ≠ ACLs enforce server
Scope vs ACL
App access gates ≠ ACL checks users
Import vs transform
Import set stages ≠ Transform map writes
Update vs repo
Update sets configure ≠ Repository ships apps
Flow vs rule
Flow orchestrates ≠ BR commits data
Declarative vs script
Configuration first ≠ Script only when needed
Last Minute
- 1.Largest: Managing Apps 25%
- 2.Design = 5%
- 3.Security/Data/Automation = 20%
- 4.UX = 10%
- 5.ACLs enforce data
- 6.Modules hide navigation
- 7.UI Policy before scripting
- 8.Flow for readable orchestration
- 9.App access gates scopes
- 10.ATF tests with impersonation
Buy on Amazon
Take courses on UdemySame family resources
Explore More ServiceNow Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.