Access control list not working

AnthonyMull · 3 weeks ago

Hi all

I am implementing ACLs and I am expecting a user to stop seeing records, however this is not working.

I would like to see why ACLs are not firing and stopping the user, is there an easy way to see this?

what is the steps to achieve this?

Kind regards

Tanushree Maiti · 3 weeks ago

First try to

Debug Security Rules: Navigate to System Diagnostics > Debug Security Rules while impersonating the affected user This will show exactly which ACL is granting access (labeled in green) and which is restricting it (labeled in red).
Check on same table if any other Read ACL conflicting.

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

AnthonyMull · 3 weeks ago

Hi ,

thank you for your help, I tried this, I can see one rule is blocking but another rule is allowing the record to be seen.

Is this because the Allow if rules, only one has to match so the one blocking is superseding ? Is that correct?

Thanks in advance.

Dinesh Chilaka · 3 weeks ago

@AnthonyMull ,

If one allow if acl is giving access then the user will see the records until and unless there is a deny-if acl.

So to stop user to see records you can change the acl which is blocking him from the restriction to deny-if.Here what happens means if one deny-if acl is blocking then it won't check for the allow-if acl.

If my response helps,mark it as helpful and accept the solution.

lauri457 · 3 weeks ago

You don't have to pass all ACLs, just one at that particular level to be given that access. If you need an explicit deny then you are probably better off using a deny unless ACL depending on your use case