I'm new to ServiceNow and I'm trying to do something that *should* be easy...but I must be missing something obvious.   I have the need to restrict access (read access in this example) to a particular field (IP Address) on the cmdb_ci table based on a user role AND the value of another field (Category) on the table.

Specifically, if the Category of the record is "CIP Asset", read access should only be granted to those with the "Talen_Read_CCAI" role.   If the category is anything else, users without the "Talen_Read_CCAI" role should have read access.

I've created the following ACL, which works perfectly except for anyone who has the "admin" role.   They have read access to the IP Address field on "CIP Asset" items regardless of the ACL being in place and not having the "Talen_Read_CCAI" role:

Access Control

Type: record

Operation: read

Name: cmdb_ci.ip_address

Active: yes

Admin overrides: no

Condition: none

Script:

        answer = ((current.category!='CIP Asset') || gs.hasRole('Talen_Read_CCAI'));

Required roles: none

It almost seems that admin override is still enabled, even though the checkbox is not checked on the ACL.

Any input would be appreciated.   It's a Eureka instance.

Best regards.

Marty