Professional Documents
Culture Documents
) Tables
Individual Table Fields
Procedure
1. Elevate privileges to the
security_admin role.
2. Navigate to System
Security > Access Control
(ACL).
3. Click New.
4. Define the object the ACL rule
secures and the permissions
required to access the object.
5. Right-click the form header
and select Save.
2. If an ACL is not found for the specific table/field combination, the system looks for a generic field ACL for that table, where the second
ACL name field is set to *. In the incident example, that would be an ACL whose name is incident.*, as shown in the following example.
3. If it does not find that, then it looks for a generic field ACL that applies to all tables, which would have the name *.*, as shown in the
following example.
The key for field access is that the process works from the very specific to the generic. The search order is as follows:
*.field • *.number
• Eg:
Parent.field task.number
• Eg:
*.* *.*(WildCa
rd)
The system checks for an ACL whose name matches the table the user is trying to access.
The Name label has two drop-down fields on ACL records. The first field is for the table and the second field is for the actual field. So when
you want to check for a table-level ACL, you are looking for ACLs where the second field is set to "--None--". The following example shows
an incident read table-level ACL:
Once the system finds an ACL, the user must pass ALL THREE pieces of security on that ACL record.
1. First, the user has to have one of the roles defined on the roles related list of the ACL.
2. Next, the system evaluates whether a condition is defined in the condition filter and evaluates that condition if present.
3. Finally, the script is evaluated if it is defined. The script must return true for the user or else access is not granted. If no script is defined,
that step is skipped.
If no table-specific ACL is found for the table in question (incident in the example), the system looks for an ACL where the table name
matches a parent table in that table's hierarchy (for example, task is a parent to incident).
If no parent table ACL is defined, it looks for a * rule (applies to all tables when a table-level ACL is not defined).
• Eg:
Table Incident
* • Eg: *
Scenarios:
An ACL that allows you to write on any row level, and denies
access on all field levels, will not allow access to the record,
due to the AND statement between row level and field
level.
What if row level ACLs evaluate to True, and if some field
level ACLs evaluate to true and some do not?
The answer is that it depends on the type of field level ACLs.
1. Those that are read and evaluate to True will allow the field
to display.
2. Those that are read and evaluate to False will prevent the
field from displaying.
3. If the read ACL evaluates to true and the write ACL
evaluates to false, the field will display in read only mode.
© 2014 ServiceNow All Rights Reserved Confidential 9
Access Controls Debugging
When debugging is enabled, a small bug icon appears beside each field with an ACL rule.
Clicking the icon lists the ACL rules that apply for the field and the evaluation results.
Useful Links
https://community.servicenow.com/community?id=community_blog&sys_id=24ad62a9dbd0dbc01dcaf3231f961932
https://community.servicenow.com/community?id=community_blog&sys_id=40fd622ddbd0dbc01dcaf3231f9619c1
https://community.servicenow.com/community?id=community_article&sys_id=b08c66e1dbd0dbc01dcaf3231f961975