Access Controls (ACL)

© 2014 ServiceNow All Rights Reserved Confidential 1

Access Controls
ACL is 2 What is ACCESS CONTROL?
Access control rules, also known as access control lists (ACL) or access controls, restrict access
to data by requiring users to pass a set of requirements before they can interact with it.
Gate All access control rules specify:
1. The object and operation being secured

system 2. The permissions required to access the object

The key to understanding access controls is to understand that it is a two-gate system.

Whoever wants to access a record for a particular operation (read, write, etc) is evaluated
for
Field Level  The particular field(s) they affect in that table.
 Then the system checks for the table-level access for the user.

Where it can be implemented?

There are quite a few base system ACLs that come preconfigured in the platform. These objects
Table include:
 UI Pages

Level(Row  Client-callable Script Includes

 Processors

)  Tables
 Individual Table Fields

© 2014 ServiceNow All Rights Reserved Confidential 2

 Create ACL’s
To create new ACL rules, you must
elevate privileges to the
security_admin role.
For tables that are in a different
scope than the ACL rule record,
the types of rules are limited.

Procedure
1. Elevate privileges to the
security_admin role.
2. Navigate to System
Security > Access Control
(ACL).
3. Click New.
4. Define the object the ACL rule
secures and the permissions
required to access the object.
5. Right-click the form header
and select Save.

© 2014 ServiceNow All Rights Reserved Confidential 3

 Field Level ACL’s
Gate 1 - Field-level access
When a user attempts to access a record from a table we first check for field level access for the fields tied to the table the user is trying to
access (first gate). 
1. We start by looking for an ACL for the particular table/field combination for the field on the form. The system searches for an access
control whose name is "incident.caller_id". If it finds one, it evaluates all three pieces of the security check (condition, script, roles). 
The following example shows a sample for the Caller field (caller_id).

2. If an ACL is not found for the specific table/field combination, the system looks for a generic field ACL for that table, where the second
ACL name field is set to *. In the incident example, that would be an ACL whose name is incident.*, as shown in the following example.

3. If it does not find that, then it looks for a generic field ACL that applies to all tables, which would have the name *.*, as shown in the
following example.

The key for field access is that the process works from the very specific to the generic. The search order is as follows:

table.field ACL (incident.caller_id)

table.* ACL (incident.*)
Parent table.field ACL (task.caller_id)
Parent table.* ACL (task.*)
Generic field ACL (*.*)

© 2014 ServiceNow All Rights Reserved Confidential 4

Field Level ACL’s order
• Eg:
Table.field incident.nu
mber

Table.* • Eg: Incident.*

*.field • *.number

• Eg:
Parent.field task.number

Parent.* • Eg: task.*

• Eg:
*.* *.*(WildCa
rd)

© 2014 ServiceNow All Rights Reserved Confidential 5

 Table(Row) Level ACL’s
Gate 2 - Table-level access
Once all the fields have been evaluated for the particular table being accessed, we move on to the second gate for table-level access.

The system checks for an ACL whose name matches the table the user is trying to access.
The Name label has two drop-down fields on ACL records. The first field is for the table and the second field is for the actual field. So when
you want to check for a table-level ACL, you are looking for ACLs where the second field is set to "--None--". The following example shows
an incident read table-level ACL:
Once the system finds an ACL, the user must pass ALL THREE pieces of security on that ACL record.
1. First, the user has to have one of the roles defined on the roles related list of the ACL.
2. Next, the system evaluates whether a condition is defined in the condition filter and evaluates that condition if present.
3. Finally, the script is evaluated if it is defined. The script must return true for the user or else access is not granted. If no script is defined,
that step is skipped. 

If no table-specific ACL is found for the table in question (incident in the example), the system looks for an ACL where the table name
matches a parent table in that table's hierarchy (for example, task is a parent to incident).

If no parent table ACL is defined, it looks for a * rule (applies to all tables when a table-level ACL is not defined).

© 2014 ServiceNow All Rights Reserved Confidential 6

Row(table) level ACL’s order

• Eg:
Table Incident

Paren • Eg: task

t

* • Eg: *

© 2014 ServiceNow All Rights Reserved Confidential 7

ACL matching & ACL validation flow

© 2014 ServiceNow All Rights Reserved Confidential 8

How row & field level acl validation happens….
© 2014 ServiceNow All Rights Reserved
This means that it will evaluate:
 all row level ACLs combined with the logical OR
 all field level ACLs combined with the logical OR
 the results of those will be combined with the logical AND
 Scenarios:
 An ACL that allows you to write on any row level, and denies
access on all field levels, will not allow access to the record,
due to the AND statement between row level and field
level. 
 What if row level ACLs evaluate to True, and if some field
level ACLs evaluate to true and some do not?  
The answer is that it depends on the type of field level ACLs.
1. Those that are read and evaluate to True will allow the field
to display.  
2. Those that are read and evaluate to False will prevent the
field from displaying.
3. If the read ACL evaluates to true and the write ACL
evaluates to false, the field will display in read only mode.
Confidential 9
Access Controls Debugging

© 2014 ServiceNow All Rights Reserved Confidential 10

 ACL debug
The following ACL rule debugging tools are available:
 Field level debugging
 ACL rule output messages
To enable ACL rule debugging,
navigate to System Security > Debug Security Rules.
ACL rule output messages
ACL debugging displays ACL rule output messages at the bottom of
each list and form.
The output message displays the following:
 Context information.
 The results of each type of ACL test.
 Hyperlinks to the ACLs that run on the list or form.

© 2014 ServiceNow All Rights Reserved Confidential 11

 Field level debugging
Field level debugging

When debugging is enabled, a small bug icon appears beside each field with an ACL rule.

Clicking the icon lists the ACL rules that apply for the field and the evaluation results.

© 2014 ServiceNow All Rights Reserved Confidential 12

The End

Useful Links
https://community.servicenow.com/community?id=community_blog&sys_id=24ad62a9dbd0dbc01dcaf3231f961932
https://community.servicenow.com/community?id=community_blog&sys_id=40fd622ddbd0dbc01dcaf3231f9619c1
https://community.servicenow.com/community?id=community_article&sys_id=b08c66e1dbd0dbc01dcaf3231f961975

© 2014 ServiceNow All Rights Reserved Confidential 13