ACL - Prevent read access to table (Access Control Level)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2025 06:04 AM
Hi,
I'm currently working with an integration but I have a requirement to prevent the integration account to read the entire table. The use case of the integration is to update fields of a record in cmdb. The operational status, comments and date of retirement, those are the only fields that this integration account needs to update. What I notice is that it needs to the read access to the entire table in order to update those fields. I tried already different combination of ACL but with no luck.
I was thinking to create a staging table to receive the information and then with a business rule or a flow process the information in that way the integration account will have create only access.
Any suggestion?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
I'm assuming the ACL allows access if the data conditions are met. If that data condition is showing far too much data, I suspect that the filter you've applied is not set up properly. Have you applied the filter to the table to ensure it works as expected? One thought I have on this is applying a data condition that restricts access to records created by the integration user which is Created by | is | javascript:gs.getUserName();
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
Hi @SVimes ,
Thanks for you reply. So, those records are not created through the integration. Those are CI's records that are created through ServiceNow Discovery. But we are using Kelverion (Orchestrator tool) to update the CI when it gets retired.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
That is helpful to know you can't use sys_created_by as part of the filter, but what about the rest of the filter? Regardless of being an ACL, Scripted Rest API, or import staging table with corresponding transform maps/scripts, there are certain values on these records that you would use to determine whether or not the service should have access. Have you determined what those field-value pairs are? If so, what is the full filter that you have tried to restrict the service account's read access to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
I will suggest to use Scripted REST API rather than using OOTB Table API
this will allow you control on what should happen when API is consumed.
💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
