ACL for allowing table access but not field access

HaniyaH · ‎06-26-2025

Hi,

I have a story requirement to create some read ACL for the core_company table. The requirement is to have the table visible to a REST user but some fields should not visible (ex spoofing rating and authorize payments etc)

I have created and given a data_reader role to the REST user.

I have created a read table level ACL for the core_company table and none is for the fields and given the role data_reader in that ACL - so this grants the REST user read access to the table but I am not sure how to prevent access to some fields.

I created another read ACL for the same table but for the spoofing rating field but I cannot leave the roles blank, if I do then I get this pop up

And I have to choose a role. Clicking ok doesn’t work it keeps coming up when I try to make it. I don’t know what a security attribute is. I chose a random one but not sure if that is what is needed.

I also tried to script answer=false; inside the script of the ACL but got this

Not sure what to do to prevent this REST user from seeing these fields but allowing to see the table.

thanks for the help!

Ankur Bawiskar · ‎06-26-2025

@HaniyaH

You can always create ACL in the correct scope as that of the table and move that update set along with your other scope update sets.

I believe I have provided the guidance and you can take it further from here.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Harmeet2Singh · ‎06-27-2025

as per the image you added, you are using deny unless ACL, that should not be used for this case

One ACL to give access to table level, which you have created is perfect. (tablename. blank)

now you need to create read acl for all the fields you want to show to that user, tablename.fieldname

just ignore the acl's for the fields you dont want read access to that user.

Hope this will resolve your issue.

Thanks

Harmeet

View solution in original post

Ankur Bawiskar · ‎06-26-2025

@HaniyaH

you are creating ACL in which scope?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

HaniyaH · ‎06-26-2025

Hi @Ankur Bawiskar I am creating the ACL in the third party risk management scope. All the other ACLs for this table (for other work) are in this scope too.

Ankur Bawiskar · ‎06-26-2025

@HaniyaH

it's out of the box platform behavior if you create field level ACL outside the scope of table.

core_company is in Global scope and you are creating your ACL in other scope.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

HaniyaH · ‎06-26-2025

…ok so should I make this in global scope then?

I also had some other work to make ACLs for other tables like x_lbg_bim_incident and x_lbg_bim_csim_action table.

these are custom tables and I made the ACLs for them in the BIM scope. Their requirements were not to hide fields but the opposite that the user should not be able to access the whole table but certain fields. Should they have also been made in global instead of BIM?

to check which scope the ACL should be made, I should navigate to the tables in global scope and see if I can edit them or make new records on them?

Also for the bim and csim action tables there are a lot of fields which the user should be able to access. I have been creating the ACLs individually but is there a way to create one with all the fields?

I know it’s irrelevant to the question I asked but it would be great to get clarification on it. I think I might have made everything wrong so far 😕