Table ACL vs Field ACL

Lisa71 · yesterday

If a table ACL allows everyone to access the table, but there is also a field ACL on a specific field that allows only the admin role, which one takes precedence?
In this case, will everyone be able to access the field because the table ACL is open to all users, or will only admin users be able to access the field due to the field ACL restriction?

Siddhesh Jadhav · 4 hours ago

Hi @Lisa71 .

In ServiceNow, ACLs are evaluated in a specific order, and the most restrictive rule always wins. Think of it like a gate: the table ACL opens the gate to the table, but each field has its own mini-gate.

Table ACL → controls access to the table as a whole.
Field ACL → controls access to individual fields.

Even if the table ACL allows everyone, a restrictive field ACL still applies.

Example:

Table ACL allows everyone → all users can access the table.
Field ACL on field_A allows only admins → only admins can see field_A.

Similarly:

"tablename.*" ACL allows everyone → grants access to all fields by default.
Field ACL restricts field_A to admins → field_A is still visible only to admins.

Key point: Passing the table ACL or a "tablename.*" ACL does not override a more restrictive field ACL. Field ACLs always take precedence.

Thanks, and regards,
Siddhesh Jadhav

Accept my answer if it solved your query.

Lisa71 · 2 hours ago

Thank you all for your answer. However this doesn't match with my testing, that's why I posted this question. I see on change_request.work_note field, we only have one create ACL which is granted to admin. However an general itil user can create work note as well. Something must be wrong then.