Allow If vs. Deny Unless in ServiceNow ACLs – Are They Really the Same?

Mukesh Sharma
Tera Expert

2 hours ago

Introduction

 

If you’ve ever worked with ServiceNow ACLs (Access Control Lists), you know they can seem confusing and intimidating at first glance. With elements like operations (RWCD), table-level and field-level ACLs, parent and child ACLs, scripts, roles, and conditions—the list is endless.

Today, we’ll focus on one teeny tiny but powerful field in the Access Control table: Decision Type. This tiny field offers two options—Allow If and Deny Unless—and while they sound similar, they behave very differently. Let’s dive in and understand their functionality with examples.

 

What is the Decision Type Field in ServiceNow?

 

The Decision Type field determines how ACL rules are evaluated. It provides two choices:

  • Allow If
  • Deny Unless

At first glance, these seem to mean the same thing. But in reality, they follow different execution logic.

 

How Do They Work?

 

Here’s the key difference:

  • Deny Unless ACLs are executed before Allow If ACLs.
  • You must satisfy every Deny Unless ACL to proceed.
  • If you fail even one applicable Deny Unless ACL, access is denied immediately.
  • If you pass all Deny Unless ACLs, you are then evaluated against Allow If ACLs. Passing at least one Allow If ACL grants access.

Important Points to Remember

  1. Passing only Deny Unless ACLs is not enough. You need at least one Allow If ACL.
  2. If no Allow If ACL exists on the table, parent Allow If ACLs apply (default ACL behavior).

 

Example Scenario :

 

Let’s use a custom table called “Star Wars Universe” for simplicity. We’ll create four roles and a few ACLs:

 

Roles

  • Kylo Ren Fan
  • Darth Vader Fan
  • Obi-Wan Kenobi Fan
  • Han Solo Fan

 

ACLs

  • ACL 1: Table Level – Read – Deny Unless (Role: Obi-Wan Kenobi Fan)
  • ACL 2: Table Level – Read – Deny Unless (Role: Han Solo Fan)
  • ACL 3: Table Level – Read – Allow If (Role: Darth Vader Fan)
  • ACL 4: Table Level – Read – Allow If (Role: Kylo Ren Fan)
  • ACL 5: Field Level – Read – Allow If (Role: Darth Vader Fan)
  • ACL 6: Field Level – Read – Allow If (Role: Kylo Ren Fan)

 

 

Now, let’s create a user called “Random Movie Fan” and assign roles in different combinations:

 

Case 1: Only Obi-Wan Kenobi Fan role

  • Passes one Deny Unless ACL but not all.
  • Result: Access denied on page level.

 

MukeshSharma_0-1768917496554.png

 

 

Case 2: Add Han Solo Fan role as well

  • Passes all Deny Unless ACLs but fails Allow If ACLs.
  • Result: Still denied (it will still show the above page rather than showing table list view with zero records).

 

Case 3: Add Darth Vader Fan or Kylo Ren Fan role

  • Passes Deny Unless ACLs and at least one Allow If ACL.
  • Result: You guessed it. Full access to the table and its records.

 

Note: If no Allow If ACLs exist and the user passes all Deny Unless ACLs, the user will see the table list columns, and parent table ACLs will apply.

 

Here is a simple image which sums up the whole thing. I know I could have added the image earlier but that would have make you miss all the fun.

 

MukeshSharma_1-1768917496556.jpeg

 

 

I’ve tried to keep this article focused specifically on the Decision Type field. However, as explained above, ACLs involve much more than that. Below, I’ll share some additional ServiceNow documentation links to help you understand the remaining ACL configurations.

 

Further Reading

 

  • 98 Views
Version history
Last update:
2 hours ago
Updated by:
Contributors