Sample questions
ServiceNow Certified Application Developer CAD practice questions
A company has a custom table 'u_training_course' with a reference field to 'sys_user' named 'u_instructor'. The requirement is that only users with the 'instructor' role can be selected in this field. Which approach should be used to enforce this?
Trap 1: Create a business rule on the table to check the role and reject…
Business rules run after submission, so invalid data can be saved momentarily.
Trap 2: Use a client script to validate the selection before form submission
Client scripts can be bypassed by direct API calls.
Trap 3: Configure an ACL on the reference field to restrict write access
ACLs control permissions, not the list of selectable values.
- A
Create a business rule on the table to check the role and reject invalid selections
Why wrong: Business rules run after submission, so invalid data can be saved momentarily.
- B
Add a reference qualifier on the field to filter users with the 'instructor' role
Reference qualifiers restrict the list dynamically.
- C
Use a client script to validate the selection before form submission
Why wrong: Client scripts can be bypassed by direct API calls.
- D
Configure an ACL on the reference field to restrict write access
Why wrong: ACLs control permissions, not the list of selectable values.
A company has a custom table 'u_asset' with a reference field 'u_location' pointing to 'cmn_location'. When a user changes the location on an asset record, the system must automatically update the location on all related 'u_asset_software' records. Which approach should the developer use?
Trap 1: Create a Client Script that runs on load to update related records.
Client Scripts run on the client and cannot perform server-side updates.
Trap 2: Create an ACL to automatically propagate changes.
ACLs control access, not data propagation.
Trap 3: Create a UI Policy that sets the location field on related records.
UI Policies only control field attributes on the form.
- A
Create a Client Script that runs on load to update related records.
Why wrong: Client Scripts run on the client and cannot perform server-side updates.
- B
Create an ACL to automatically propagate changes.
Why wrong: ACLs control access, not data propagation.
- C
Create a Business Rule that runs on update of the 'u_asset' table and updates related records.
Business Rules run server-side and can update related records.
- D
Create a UI Policy that sets the location field on related records.
Why wrong: UI Policies only control field attributes on the form.
A developer needs to create a new application scope. Which of the following is a best practice when defining the scope?
Trap 1: Use the global scope to avoid access restrictions.
Global scope is not recommended for custom applications; it can cause conflicts.
Trap 2: Use a scope name that is already in use to leverage existing…
Scope names must be unique.
Trap 3: Create the scope and later change the name if needed.
Scope name cannot be changed after creation.
- A
Set the scope to 'Protected' to prevent other applications from modifying its records.
Protected scope prevents unauthorized modifications.
- B
Use the global scope to avoid access restrictions.
Why wrong: Global scope is not recommended for custom applications; it can cause conflicts.
- C
Use a scope name that is already in use to leverage existing configurations.
Why wrong: Scope names must be unique.
- D
Create the scope and later change the name if needed.
Why wrong: Scope name cannot be changed after creation.
An application has a custom table 'u_project' with a field 'u_status' (choice list: Not Started, In Progress, Completed). The developer wants to prevent any update to the record if the status is 'Completed'. Which approach should be used?
Trap 1: Create a Database View that filters out Completed records.
Database Views are for reporting, not for preventing updates.
Trap 2: Create a Client Script that sets the field to read-only when status…
Client Scripts can only set read-only on the form, but updates via other channels are not blocked.
Trap 3: Create a UI Policy to disable the entire form when status is…
UI Policies only control form behavior, not server-side updates.
- A
Create a Database View that filters out Completed records.
Why wrong: Database Views are for reporting, not for preventing updates.
- B
Create a Client Script that sets the field to read-only when status is Completed.
Why wrong: Client Scripts can only set read-only on the form, but updates via other channels are not blocked.
- C
Create a Business Rule with condition 'current.u_status.changesTo("Completed")' and set 'current.setAbortAction(true)' in the script.
Business Rules can abort actions before they occur.
- D
Create a UI Policy to disable the entire form when status is Completed.
Why wrong: UI Policies only control form behavior, not server-side updates.
A company has a custom table 'u_incident_task' that extends 'task'. The developer wants to add a field 'u_approval' that is a reference to 'sysapproval_approver'. Which method is the correct way to create this field?
Trap 1: Create a 'List' field type and set the table to…
'List' is not a valid field type in ServiceNow.
Trap 2: Create a 'Reference' field and set the table to 'task' and the…
The reference field should point to the table, not a field.
Trap 3: Create a 'Choice' field and populate it with sysapproval_approver…
Choice fields are for static lists, not dynamic references.
- A
Create a 'List' field type and set the table to sysapproval_approver.
Why wrong: 'List' is not a valid field type in ServiceNow.
- B
Create a 'Reference' field and set the reference table to 'sysapproval_approver'.
This creates a proper reference to the sysapproval_approver table.
- C
Create a 'Reference' field and set the table to 'task' and the reference field to 'sysapproval_approver'.
Why wrong: The reference field should point to the table, not a field.
- D
Create a 'Choice' field and populate it with sysapproval_approver values.
Why wrong: Choice fields are for static lists, not dynamic references.
Which TWO of the following are types of UI Policies? (Choose two.)
Trap 1: On submit
On submit is not a UI Policy type.
Trap 2: On delete
On delete is not a UI Policy type.
Trap 3: On query
On query is not a UI Policy type.
- A
On change
UI Policies can run when a field changes.
- B
On load
UI Policies can run on form load.
- C
On submit
Why wrong: On submit is not a UI Policy type.
- D
On delete
Why wrong: On delete is not a UI Policy type.
- E
On query
Why wrong: On query is not a UI Policy type.
The ACL above is on the 'incident' table. A user with role 'itil' tries to update an incident record. What will happen?
Exhibit
Refer to the exhibit.
ACL record:
Name: incident.write
Type: record
Operation: write
Condition: gs.hasRole('incident_manager')
Script:
answer = true;Trap 1: The user will be prompted for credentials.
ACLs do not prompt for credentials.
Trap 2: The user will be allowed because the condition is ignored for write…
Condition is always evaluated.
Trap 3: The user will be allowed because the script sets answer = true.
The script only runs if the condition is true.
- A
The user will be prompted for credentials.
Why wrong: ACLs do not prompt for credentials.
- B
The user will be allowed because the condition is ignored for write operations.
Why wrong: Condition is always evaluated.
- C
The user will be allowed because the script sets answer = true.
Why wrong: The script only runs if the condition is true.
- D
The user will be denied because the condition fails.
The condition requires incident_manager role, which the user does not have.
A developer is asked to add a custom button to the Service Portal form for the 'incident' table. The button should trigger a client script that displays a confirmation dialog before submitting the form. Which approach should the developer use?
Trap 1: Create an Access Control Rule (ACL) on the incident table and…
ACLs control access, not UI elements.
Trap 2: Create a Business Rule on the incident table that injects a button…
Business Rules run server-side and cannot directly modify client UI.
Trap 3: Create a UI Action on the incident table with a client script and…
UI Actions are for form buttons but not ideal for conditional display based on client script logic.
- A
Create a UI Policy on the incident table with a client script that shows the button conditionally.
UI Policy can conditionally display UI elements and run client scripts.
- B
Create an Access Control Rule (ACL) on the incident table and attach a client script.
Why wrong: ACLs control access, not UI elements.
- C
Create a Business Rule on the incident table that injects a button via server-side code.
Why wrong: Business Rules run server-side and cannot directly modify client UI.
- D
Create a UI Action on the incident table with a client script and set the 'Show insert' condition.
Why wrong: UI Actions are for form buttons but not ideal for conditional display based on client script logic.
Which TWO of the following are valid ways to customize the Service Portal login page?
Trap 1: Create a new widget instance on the 'loginpage' widget slot.
The login page is a special page; widget slots are not used.
Trap 2: Add a widget option to the login widget to inject custom CSS.
Widget options are for runtime data, not CSS injection.
Trap 3: Set the 'login.css' property in sys_properties to a custom…
There is no such sys_property.
- A
Create a new widget instance on the 'loginpage' widget slot.
Why wrong: The login page is a special page; widget slots are not used.
- B
Override the 'Login' page in the portal record by creating a new page and setting it as the login page.
You can create a custom page and set it as the login page.
- C
Add a widget option to the login widget to inject custom CSS.
Why wrong: Widget options are for runtime data, not CSS injection.
- D
Use CSS variables in the portal's theme (SCSS) to style the login page elements.
The portal theme can override CSS variables affecting the login page.
- E
Set the 'login.css' property in sys_properties to a custom stylesheet URL.
Why wrong: There is no such sys_property.
When configuring a Service Portal page, a developer wants to ensure that a specific widget appears only to users with the 'itil' role. Which approach should be used?
Trap 1: Pass a role check from the server script to the client controller…
Widget options do not enforce security.
Trap 2: Write an Access Control Rule (ACL) on the widget's table to…
ACLs control data access, not UI widget visibility.
Trap 3: Create a UI Policy on the portal table that hides the widget based…
UI Policies do not apply to Service Portal.
- A
Pass a role check from the server script to the client controller via widget options.
Why wrong: Widget options do not enforce security.
- B
Write an Access Control Rule (ACL) on the widget's table to restrict access.
Why wrong: ACLs control data access, not UI widget visibility.
- C
Set the 'Roles' property on the widget instance within the page designer.
The Roles property restricts widget visibility to specified roles.
- D
Create a UI Policy on the portal table that hides the widget based on user roles.
Why wrong: UI Policies do not apply to Service Portal.
Match each ServiceNow application scope to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Visible and editable across all scopes
Isolated application with own tables and access controls
Built-in scope for system administration
Default scope for end-user interactions
Scope for plugin-provided applications
Match each ServiceNow access control rule (ACL) type to its function.
Drag a concept onto its matching description — or click a concept then click the description.
Controls view access to records
Controls create and update access
Controls delete access
Controls record creation
Controls script execution
Drag and drop the steps to create a UI Action in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to create an ACL (Access Control List) in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to create a new Update Set in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a Business Rule in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to create a Client Script in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to create a new Scheduled Job in ServiceNow into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company is integrating ServiceNow with an external system using REST API. The integration is failing with a 401 Unauthorized error. The integration user's credentials are correct and the user has the 'rest_service' role. What is the most likely cause of the failure?
Trap 1: The password for the integration user does not meet complexity…
Password complexity does not affect API authentication if credentials are correct.
Trap 2: The integration user does not have the 'rest_api' role.
'rest_service' is the correct role; 'rest_api' does not exist.
Trap 3: The integration is hitting a table ACL that denies read access.
ACL denial typically returns 403 Forbidden, not 401.
- A
The password for the integration user does not meet complexity requirements.
Why wrong: Password complexity does not affect API authentication if credentials are correct.
- B
The integration user does not have the 'rest_api' role.
Why wrong: 'rest_service' is the correct role; 'rest_api' does not exist.
- C
The OAuth token used for authentication has expired or is invalid.
401 Unauthorized indicates authentication failure; expired/invalid OAuth token is a common cause.
- D
The integration is hitting a table ACL that denies read access.
Why wrong: ACL denial typically returns 403 Forbidden, not 401.
A ServiceNow administrator needs to integrate with an external inventory system. The integration must import inventory items into a custom table 'inventory_item' and export order status from a custom table 'order' to the external system. Which TWO methods should the administrator use to achieve this?
Trap 1: Web Services Import set to import inventory items.
Web Services Import is not a standard ServiceNow feature; Import Set Row is used.
Trap 2: Flow Designer to both import and export.
Flow Designer can trigger actions but is not a direct import/export method.
Trap 3: Transform Map to export order status.
Transform Maps are used for import transformations, not export.
- A
Web Services Import set to import inventory items.
Why wrong: Web Services Import is not a standard ServiceNow feature; Import Set Row is used.
- B
Export to XML to export order status.
Export to XML can be used to export data from ServiceNow.
- C
Flow Designer to both import and export.
Why wrong: Flow Designer can trigger actions but is not a direct import/export method.
- D
Import Set Row to import inventory items.
Import Set Row is the correct method to import data into a table.
- E
Transform Map to export order status.
Why wrong: Transform Maps are used for import transformations, not export.
Refer to the exhibit. A developer created this Script Include to be used as a REST API endpoint. However, when calling the API, the response is empty. What is the most likely reason?
Exhibit
Refer to the exhibit.
Script Include: getIncidents.gs
var getIncidents = Class.create();
getIncidents.prototype = Object.extendsObject(AbstractAjaxProcessor, {
getOpenIncidents: function() {
var gr = new GlideRecord('incident');
gr.addQuery('active', true);
gr.query();
var result = [];
while(gr.next()) {
result.push({
'number': gr.getValue('number'),
'short_description': gr.getValue('short_description')
});
}
return result;
}
});Trap 1: The Script Include is not marked as 'Client callable'.
Client callable is for GlideAjax, not for Script Include REST endpoints.
Trap 2: The function name 'getOpenIncidents' is not exposed.
The function name is correct, but the Script Include type is wrong.
Trap 3: The GlideRecord query returns no results.
The query is valid; if there are active incidents, it should return results.
- A
The Script Include is not marked as 'Client callable'.
Why wrong: Client callable is for GlideAjax, not for Script Include REST endpoints.
- B
The function name 'getOpenIncidents' is not exposed.
Why wrong: The function name is correct, but the Script Include type is wrong.
- C
The GlideRecord query returns no results.
Why wrong: The query is valid; if there are active incidents, it should return results.
- D
The Script Include is not marked as 'REST API endpoint' or does not extend the appropriate class.
For REST API, the Script Include must extend 'AbstractAjaxProcessor' and be marked as 'script' for REST, but the exhibit shows it extends AbstractAjaxProcessor, which is correct for GlideAjax, not for REST. Actually, for REST, you need to use 'Scripted REST API' or 'RESTMessage'? Wait, the exhibit shows it extends AbstractAjaxProcessor, which is used for GlideAjax, not for REST API. So the correct answer is that it should be a Scripted REST API instead. But Option B says 'not marked as REST API endpoint' which is the key: it should be a Scripted REST API, not a Script Include. So B is correct.
A company is building a ServiceNow application to manage employee onboarding. They need to store personal data like social security numbers (SSNs) and medical information. Which data classification scheme should they apply to these fields to ensure proper encryption and access controls?
Trap 1: Confidential
Confidential is for business-sensitive data, not the highest level.
Trap 2: Internal
Internal is for general internal use without special protection.
Trap 3: Public
Public is for non-sensitive data accessible to all.
- A
Confidential
Why wrong: Confidential is for business-sensitive data, not the highest level.
- B
Internal
Why wrong: Internal is for general internal use without special protection.
- C
Highly Confidential
Correct, this is the highest classification for sensitive personal data.
- D
Public
Why wrong: Public is for non-sensitive data accessible to all.
A developer is troubleshooting a business rule in a scoped application that is not triggering. The rule is set to run 'before' query, with condition 'current.state == 1'. The table has read ACLs that restrict access. What is the most likely reason the business rule is not executing?
Trap 1: The condition 'current.state == 1' is incorrect syntax.
The syntax is valid for a before query business rule.
Trap 2: Another business rule with higher order is preventing execution.
Order only affects sequence, not whether a rule runs.
Trap 3: The business rule is scoped and cannot access the table.
Scoped business rules can access tables within the same scope.
- A
The condition 'current.state == 1' is incorrect syntax.
Why wrong: The syntax is valid for a before query business rule.
- B
Another business rule with higher order is preventing execution.
Why wrong: Order only affects sequence, not whether a rule runs.
- C
The user does not have read access to the records, so the query does not execute the rule.
Before query rules run only if the user can access the records.
- D
The business rule is scoped and cannot access the table.
Why wrong: Scoped business rules can access tables within the same scope.
A company has a custom table 'u_employee' with fields: 'first_name', 'last_name', 'department'. They want to create a unique index on the combination of 'last_name' and 'department' to prevent duplicate entries. Where should this index be defined?
Trap 1: In the table schema map
Schema maps are for integration, not indexing.
Trap 2: In the dictionary entry for each field
Indexes are not defined per field.
Trap 3: In the sys_dictionary table directly
sys_dictionary stores field definitions, not indexes.
- A
In the table schema map
Why wrong: Schema maps are for integration, not indexing.
- B
In the table's dictionary record via the Indexes related list
Indexes are added to the table's dictionary.
- C
In the dictionary entry for each field
Why wrong: Indexes are not defined per field.
- D
In the sys_dictionary table directly
Why wrong: sys_dictionary stores field definitions, not indexes.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.