Tips for ServiceNow Admins

Below are production-grade, real-world “notes & nuggets” for admins working on live instances.

Do in PDI: Build + test each change end-to-end; package in a single, well-named Update Set (with Summary, Description, Backout notes).
Prod practice: Dev → Test/UAT → Prod with a change record, peer review, and promotion window. Keep an emergency backout (previous update set or revert plan).
Zurich Update: If your organization has adopted Release Ops and Git integration, rely on those automated pipelines rather than manual Update Set movement.
Hygiene: No “Default” update sets; avoid mixing unrelated work; remove junk updates (UI view tweaks, personal prefs).
Quick check: Before promote, run Compare to baseline (or Update Set preview) and conflict checks; document pre/post-deploy steps (rebuild caches, reindex, email toggle).
Pitfalls: Moving Notifications/ACLs without their dependencies; missed sys_properties; promoting test email addresses into prod.

Do in PDI: Model roles bottom-up (task_user → itil → itil_admin), then test with Impersonate. Validate table/record/field ACLs and Conditions/Scripts.
Prod practice: Default-deny mindset; create data-protecting ACLs on sensitive fields (PII, financials); no admin as a workaround—use a break-glass role with approval + expiry.
Hygiene: Turn on Debug Security Rule only during testing; remove temporary bypass rules; use Dictionary “read-only” where UI is insufficient.
Pitfalls: UI Policy “read-only” ≠ security (users can bypass via API). Data Policies enforce at server/API—prefer them for integrity.

Do in PDI: Use System Logs → All, Transaction Log, and Script Tracer; log via gs.info/gs.warn/gs.error (and correlate with gs.getCurrentScopeName() + gs.getUserName() for traceability).
Prod practice: Log only what you need, at appropriate levels; avoid chatty loops; scrub PII. For incidents, raise log level temporarily and auto-expire it.
Hygiene: Separate functional logs (what happened) from debug logs (why); add error codes in messages to search easily later.
Pitfalls: Leaving Debug Business Rules/Debug Transactions on in production; GlideRecord queries without indexes → slow queries.

Do in PDI: Import via Import Set + Transform Map; define coalesce keys; add onBefore transform scripts for validation; use Data Policies for server-side enforcement.
Prod practice: Stage data in staging tables, run dry runs (preview transforms), keep replayable transform maps for rollbacks; document source→target mapping and timezone handling (IST is +05:30).
Hygiene: Protect choices via Choice Lists; use Reference Qualifiers (dynamic) to prevent orphan records; set Dictionary attributes (max length, mandatory, unique).
Pitfalls: Duplicate CI/Users due to weak coalesce; date/time skew; mass updates without filters; dot-walking in transforms causing slow runs.

Do in PDI: Prefer Flow Designer/Actions for maintainability; push heavy tasks to Async Business Rules/Scheduled Jobs; cache lookups when possible.
Zurich Update: Native support for ECMAScript 2021 (ES12) now allows using async/await patterns in server scripts, offering a modern, cleaner alternative to traditional Async Business Rules.
Prod practice: Enable Instance Scan rules (naming, query patterns, deprecated APIs); add indexes for high-volume queries; use GlideAggregate for counts/sums.
Hygiene: Avoid GlideRecord in tight loops; minimize dot-walks in list filters; replace client polling with Record Watch / UI notifications; cap Email burst via throttling.
Testing: ATF for regression on critical apps; smoke tests after each deploy (create incident, email notification, assignment, SLAs).
Pitfalls: Synchronous BRs doing external calls; long-running transforms during business hours; flows without guard conditions.

Do in PDI: Build Notifications with templates and conditions; test Inbound Actions/Inbound Email Flows using sample payloads.
Prod practice: Maintain Email “send/receive” toggles per environment; in non-prod, rewrite/whitelist recipients (no real customer emails); version your templates; keep a From strategy (SPF/DKIM managed by IT).
Hygiene: Validate notification conditions after each change; add fail-safes (e.g., skip emails for test domains); track via Email Logs + System Mailboxes.
Pitfalls: Hard-coded addresses; HTML templates without plain-text; image links pointing to non-prod.

(For production teams)

Kaizen plan (one-a-day): Each day, validate one scenario end-to-end in PDI → log steps → convert into a wiki/Runbook for your project.
Change discipline: Bundle related updates; no mixed scopes; small, frequent releases reduce blast radius.
Integration hygiene: Use staging tables, retry with back-off, dead-letter queues, and idempotency keys; never call third-party APIs synchronously in Request/Response flows.
Network realities: For MID Server behind a proxy, document proxy allow-lists, SSL keystores, and timeouts; schedule heavy jobs away from IST peak hours.
Access reviews: Quarterly role/ACL recertification with managers; remove dormant elevated roles.
Backups & clones: Before a clone, exclude audit/attachment-heavy tables if not needed; after clone, reapply non-prod safety (email off, SSO off, integrations to stubs).

(Handy to print)

Reading these tips is step one; practicing them is where the real learning happens. Here is your immediate action plan for this week:

Upgrade to Zurich: Log into your Personal Developer Instance (PDI) and ensure you are on the Zurich release to test the latest features.
Try the "Modern" Way: Pick one old habit (like a complex Async Business Rule) and try rewriting it using the new ES12 async/await syntax to see the difference in readability.
Audit Your Access: Impersonate a standard user in your PDI today. Can they see something they shouldn't? If yes, write an ACL immediately.
Share the Knowledge: If you found a specific "Gotcha" in the Zurich release, share it and discuss it with your team during the next stand-up.

Keep learning, keep validating, and keep your production instances clean!