ACL for allowing table access but not field access

Go to solution
HaniyaH
Tera Contributor

‎06-26-2025 02:46 AM

Hi,

I have a story requirement to create some read ACL for the core_company table. The requirement is to have the table visible to a REST user but some fields should not visible (ex spoofing rating and authorize payments etc)

 

I have created and given a data_reader role to the REST user. 

I have created a read table level ACL for the core_company table and none is for the fields and given the role data_reader in that ACL - so this grants the REST user read access to the table but I am not sure how to prevent access to some fields.

 

I created another read ACL for the same table but for the spoofing rating field but I cannot leave the roles blank, if I do then I get this pop up

IMG_6731.jpeg

And I have to choose a role. Clicking ok doesn’t work it keeps coming up when I try to make it. I don’t know what a security attribute is. I chose a random one but not sure if that is what is needed.

 


I also tried to script answer=false; inside the script of the ACL but got this 

IMG_6734.jpeg

Not sure what to do to prevent this REST user from seeing these fields but allowing to see the table. 

thanks for the help!

0 Helpfuls
  • 1,290 Views
2 ACCEPTED SOLUTIONS

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to HaniyaH

‎06-26-2025 03:37 AM

@HaniyaH 

You can always create ACL in the correct scope as that of the table and move that update set along with your other scope update sets.

I believe I have provided the guidance and you can take it further from here.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

0 Helpfuls

Go to solution
Harmeet2Singh
Tera Expert

‎06-27-2025 04:46 AM

as per the image you added, you are using deny unless ACL, that should not be used for this case

 

One ACL to give access to table level, which you have created is perfect. (tablename. blank)

now you need to create read acl for all the fields you want to show to that user, tablename.fieldname

just ignore the acl's for the fields you dont want read access to that user.

 

Hope this will resolve your issue.

Thanks

Harmeet

View solution in original post

13 REPLIES 13

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to HaniyaH

‎06-27-2025 04:48 AM

@HaniyaH 

you can only select fields in the same scope as that of ACL you are creating.

If my response helped please mark it correct and close the thread so that it benefits future readers.

 

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Harmeet2Singh
Tera Expert

‎06-27-2025 04:46 AM

as per the image you added, you are using deny unless ACL, that should not be used for this case

 

One ACL to give access to table level, which you have created is perfect. (tablename. blank)

now you need to create read acl for all the fields you want to show to that user, tablename.fieldname

just ignore the acl's for the fields you dont want read access to that user.

 

Hope this will resolve your issue.

Thanks

Harmeet

Go to solution
HaniyaH
Tera Contributor

‎07-15-2025 02:35 AM

Ended up taking a very different approach to this work, by only giving read only roles to the relevant user. Making ACL would have caused a lot of problems for so many fields because then they would be locked down for everyone and it would become very long to grant access to those tables and fields to all who needed them. Thanks for all the help everyone.

0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to HaniyaH

‎07-15-2025 02:36 AM

@HaniyaH 

Glad to help.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls