The CreatorCon Call for Content is officially open! Get started here.

ACL conflict on field level

Abhimanyu Bansa
Giga Expert

‎12-04-2017 05:47 AM

HI All,


If we have two ACL on the field level
one is giving the access and other is revoking the access then which ACL result will effect at last as a result and why?

Please find Below screen shot of two acl condition

Capture78.PNGCapture79.PNG:
In my testing it is giving the write access in all the cases. but i am not finding any cause of this behavior.

Preview file
49 KB
Preview file
49 KB
0 Helpfuls
  • 2,773 Views
4 REPLIES 4

Chuck Tomasi
Tera Patron

‎12-04-2017 05:51 AM

Once you grant access for read, write, etc. any other ACLs on the same table/field are ignored. If, say task.assignment_group allowed access, and incident.assignment_group declined it, then you would override the ACL on task with the one incident, but since these are both on incident.assignment_group, they are equal and the grant wins every time.


0 Helpfuls

Chuck Tomasi
Tera Patron
In response to Chuck Tomasi

‎12-04-2017 05:53 AM

Any time you have questions about which ACLs are being used and why... this often helps.



ACL debugging tools


0 Helpfuls

Dave Smith1
ServiceNow Employee
ServiceNow Employee

‎12-04-2017 06:32 AM 

If we have two ACL on the field level 
one is giving the access and other is revoking the access

An ACL doesn't "revoke access".   It behaves like a key: it grants access.



  • Padlocking a specific table.field and giving the key only to named roles permits those to perform that operation on that field
  • ... which overrides any padlocks on table.*
  • .. which override any locks applied to table.NONE


It helps to think of:


  • table.* = lock that lets people in the house
  • table.field = lock that lets people into that specific room in the house.


For all ACLs, you can either specify:


  • multiple roles against one operation = any of those keys opens that particular lock
  • role(s) + condition = lock plus question.   Both need to be satisfied to permit entry (condition true, but one of the roles).
  • multiple ACLs against one operation = multiple doors.   Any of the doors can be opened to gain entry.

Vdimri
Tera Contributor

‎08-03-2023 11:14 PM

Hi Abhimanyu ,

Please find the answer below 

In ServiceNow, when there are conflicting Access Control List (ACL) rules at the field level, the rule that will have the final effect depends on the order of evaluation, specifically the "order" field on the ACL record.

ACL rules in ServiceNow have an "order" field, which represents the evaluation order of the ACL rules. Lower numbers have higher priority, meaning they are evaluated first. Higher numbers are evaluated later in the order. If two ACL rules conflict, the one with the higher priority (lower "order" number) will take precedence and have the final effect.

Here's an example to illustrate:

Let's say you have two ACL rules on the same field "incident.state" in the incident table:

ACL Rule 1:

Name: "Give Access"
Condition: Active is true
Script: Allow read access
Order: 100
ACL Rule 2:

Name: "Revoke Access"
Condition: Active is true
Script: Revoke read access
Order: 200
In this scenario, when a user tries to access the "incident.state" field, both rules will be evaluated. Since Rule 1 has a lower "order" (100) than Rule 2 (200), it will be evaluated first, and the user will be granted read access. The second rule will not take effect because the user already has access from the first rule.

In summary, the ACL rule with the lower "order" value will have the final effect in ServiceNow when there are conflicting rules at the field level. To modify the effect of the rules, you can adjust the "order" value accordingly.

 

Please check what order have been put against each ACl'S that you have created for assignment group

0 Helpfuls