50 ServiceNow Certified Application Developer Practice Questions: Question Bank 2025

A developer creates a custom table for an application and wants to ensure it can only be accessed by users with the app’s specific role, including access from scripts and web services. What is the recommended way to enforce this restriction?

A Business Rule needs to set a field value based on other fields when a record is inserted, and the updated value must be committed to the database. Which Business Rule type is most appropriate?

A Flow Designer flow is triggered when a new request record is created. The flow should wait until the record’s State changes to "Approved" before continuing. Which Flow Designer capability best meets this requirement?

You are building a Service Portal widget and want to retrieve records on the server side for display. Where should the GlideRecord query be placed for best practice and security?

A developer needs to parse an inbound REST API request containing JSON and create multiple child records. Which approach is most appropriate in an Inbound REST API Scripted resource?

A Script Include contains reusable server-side logic that must be callable from a Flow Designer action. What is the recommended way to make this logic available to Flow Designer?

A developer is designing an application that will be moved between instances via update sets. Which item is LEAST likely to be captured in an update set by default?

A Service Portal widget displays a list of tasks. Users report that the list sometimes shows tasks they should not see. The server script uses GlideRecord without additional security checks. What is the best practice to ensure record-level security is enforced?

Your application must integrate with an external system using OAuth 2.0. Multiple flows and scripted integrations will call the same external API. Which design best supports centralized credential management and token handling?

A developer wrote a Business Rule that queries the same table it runs on and updates matching records. In production, this occasionally causes long execution times and unexpected recursive updates. What is the best approach to prevent recursion and improve maintainability?

A catalog item should show a secondary set of fields only when the user selects “Yes” for 'Needs approval?'. What is the recommended way to implement this behavior in Service Portal?

You are creating a server-side Script Include to be called from a Flow Designer Action step (not from the browser). Which setting is appropriate for the Script Include to follow best practice and reduce exposure?

A developer needs to generate a unique identifier for a record in a server-side script and store it in a string field. Which value is most appropriate?

A developer adds a new field to a table but the field is not visible in the classic form view for some users, while it is visible for admins. The field is included on the form layout. What is the most likely cause?

You built a Flow Designer flow to automatically update a related record when an Incident is resolved. It triggers correctly, but the Update Record action fails with an access error when run by non-admin users. What is the best solution?

A Service Portal widget must display a list of records based on a URL parameter (for example, sys_id). What is the recommended way to access the parameter inside the widget server script?

You are integrating ServiceNow with an external REST API that requires an API key and a per-environment base URL. What is the best practice for storing these values so they can vary by instance without code changes?

A developer is using GlideRecord to update 5,000 rows and notices the script runs slowly and generates many Business Rule executions. What is the recommended approach when business logic is not required for this update?

A Flow Designer action includes a Script step that queries records using GlideRecord. In testing, the action sometimes returns different results depending on who triggered the flow, even though the same inputs are used. What is the most likely reason?

An application includes a custom table with sensitive fields. The table’s record ACLs are correctly configured, but a user can still see one sensitive field on a form when they can read the record. What additional control is required to ensure the field itself is protected?

You are building a scoped app and want to ensure only users with a specific role can access a table, while still allowing other apps to reference it through controlled APIs. Which approach best meets this requirement?

A developer needs to check whether a string variable contains a value and is not just whitespace before proceeding in a server-side Script Include. Which is the recommended approach?

In Service Portal, a widget needs to display a list of records that updates when the user changes a filter on the client. Which portal pattern is most appropriate?

A Flow Designer flow is triggered when a record is created. You notice it sometimes runs multiple times for the same record when updates happen right after insert. What is the best way to ensure the flow only runs once per record creation?

A developer is troubleshooting slow server-side code that queries a large table. Which change most directly improves performance and follows best practice?

You need to integrate with an external REST API that requires an OAuth token. Multiple Script Includes and flows will call the API. What is the best design choice for managing the authentication details?

A scoped application must allow other scoped applications to call a Script Include method, but only through a stable API. Which configuration best supports this requirement?

A Service Portal page uses the Data Table widget to show records. Users report they can see records they should not access. The table has correct ACLs. What is the most likely cause?

A flow calls a subflow that updates a record. The parent flow also updates the same record later. Occasionally, data from the subflow is overwritten by the parent flow. What is the best approach to prevent these race/overwrite issues?

An IntegrationHub action uses a REST step to call an external system. Sometimes the external system returns transient 503 errors. What is the most robust solution that aligns with platform capabilities and best practice?

A developer is asked to store a constant value (for example, a max attachment size) that can be changed without updating code or application files. Which approach is recommended?

In Flow Designer, a developer needs to update a record and then use values from that updated record later in the same flow. What is the best practice to ensure the flow has the latest values?

A developer is troubleshooting a Scripted REST API that returns a 401 Unauthorized even though the user has the correct roles. Which configuration is the MOST likely cause?

A Service Portal widget must display a list of records filtered by the logged-in user. Where should the GlideRecord query typically be placed?

A developer creates an application table that extends Task. They need a field that should be available on the base Task form and all child tables. Where should the field be created?

A before Business Rule is intended to prevent insert when a related record is inactive. The developer wrote: `if (!rel.active) { current.setAbortAction(true); }` but it does not work reliably. What is the most likely issue?

A Flow Designer flow is triggered when a record is created. The flow should NOT run when records are inserted by an integration user. What is the recommended approach?

A developer needs to call an external REST endpoint from a script include and must support different endpoints for dev/test/prod without code changes. Which design is best?

A developer is building a Scripted REST API that creates records on a custom table. They must ensure Access Control (ACL) rules are enforced exactly as they would be for normal UI inserts. Which approach best meets the requirement?

A Service Portal widget intermittently shows data to users who should not see it. The widget's server script uses GlideRecord to query a table with restrictive ACLs, but the query still returns rows. What is the most likely cause and fix?

A developer needs to restrict access to a custom table so that only members of the x_app.hr_admin group can create or update records, while all authenticated users can read them. Which approach is most appropriate?

In a Service Portal widget, the server script queries records based on a sys_id passed from the client. What is the best practice to prevent unauthorized users from retrieving data they should not see?

A Flow Designer flow must run when a record is created on a custom table. The flow should NOT run when records are inserted by a specific integration user. What is the simplest recommended way to accomplish this?

A developer is writing a Script Include that will be called from both server-side Business Rules and Flow Designer actions. Which design best supports reusability and automated testing?

A developer needs to call an external REST API that returns JSON and requires an API key header. The response must be stored on the current record, and failures should be retried later without blocking the user. Which pattern is most appropriate?

A Flow Designer flow updates a record and then immediately reads fields that are set by a 'before update' Business Rule. In testing, the flow sometimes reads old values. What is the most likely cause and best fix?

A custom app has multiple modules and tables. The team wants to control which components get moved together between instances and avoid missing dependencies. What is the recommended approach?

A developer adds a reference field to a custom table and wants the reference qualifier to filter choices dynamically based on the current user's department. Which option is best practice for maintainability and performance?

A developer needs a scripted REST API endpoint to accept inbound requests and create records in a custom table. The API must enforce that callers can only create records for their own company, based on a company identifier in the integration user profile. What is the most secure design?

A Service Portal page uses a widget that performs multiple GlideRecord queries in its server script, and the page load is slow. Which change is most likely to improve performance while keeping results accurate?