ACL Processing Order Specific to General Meaning

Justin Little · ‎08-24-2023

Can someone please explain the ACL processing order mentioned below? The ServiceNow documentation states table ACLs rules are evaluated first and then field ACLs rules. I do not understand how this is specific to general, a table is more general than a field on the table.

Here is a link to the ServiceNow documentation: https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/contextual-security/c...

Amit_Sharma · ‎12-24-2023

@Justin Little

Here's how to understand this, I also must admit it's quite confusing to say the least:

Processing Order: The ACL rules are checked in a sequence where table-level (general) permissions are assessed first, followed by field-level (specific) permissions. This is the operational or technical order of processing.

Conceptual Understanding of Access: Conceptually, even though the more general table-level permissions are checked first, access to a specific object (like a field) is only 'realized' or 'granted' after passing through the more specific field-level permissions. In other words, the user's effective access to specific objects (fields) is determined after the general permissions (table-level) are cleared.

So, while the operational order is from general to specific (table then field), the actual granting of access (conceptually) to specific objects (fields) is considered the final step. The phrasing in the documentation might be highlighting this conceptual viewpoint rather than the literal sequence of checks.

View solution in original post

Ravi Chandra_K · ‎08-24-2023

Hello @Justin Little

Greetings!

out of all explanations for ACL, I like the below analogy most

Imagine a house (table) has lock. and it has lot of cupboards (fields) with seperate locks.

If you want to access the cupboard, you should have access to house first.

So you should have house lock along with specific cupboard lock.

now the below explanation makes sense. even if user has field ACL, if the user has no access to table, then user cannot access the field. (obvious)

please mark the answer as correct and helpful if helped!

Kind Regards,

Ravi Chandra.

Justin Little · ‎08-25-2023

@Ravi Chandra_K I like your analogy, however reading your analogy makes it seem like users are granted access to general objects first (table) and then specific objects (fields). ServiceNow states it is the opposite (underlined in red in my original question).

Amit_Sharma · ‎12-24-2023

@Justin Little

Here's how to understand this, I also must admit it's quite confusing to say the least:

Processing Order: The ACL rules are checked in a sequence where table-level (general) permissions are assessed first, followed by field-level (specific) permissions. This is the operational or technical order of processing.

Conceptual Understanding of Access: Conceptually, even though the more general table-level permissions are checked first, access to a specific object (like a field) is only 'realized' or 'granted' after passing through the more specific field-level permissions. In other words, the user's effective access to specific objects (fields) is determined after the general permissions (table-level) are cleared.

So, while the operational order is from general to specific (table then field), the actual granting of access (conceptually) to specific objects (fields) is considered the final step. The phrasing in the documentation might be highlighting this conceptual viewpoint rather than the literal sequence of checks.

Nat Iyer · ‎02-22-2024

Lovely explanation @Amit_Sharma 👍