ACL

spandanam
Tera Contributor

3 weeks ago

If there are two ACL's with same roles and conditions one ACL is allowing a user to edit a field and another one is denying access to same user to edit same field which works 

0 Helpfuls
  • 375 Views
5 REPLIES 5

Adrian Ubeda
Mega Sage

3 weeks ago

Hello @spandanam ,
If both ACLs are true, in this case the decision type of the ACL it's going to be the one which makes the difference. Deny unless rules are evaluated first

check ACL execution: https://www.servicenow.com/community/platform-analytics-forum/acl-execution-order/m-p/3075115
Check explanation of deny unless vs allow if: https://www.servicenow.com/community/developer-forum/how-is-quot-deny-unless-quot-different-from-quo...

If it was helpful, please give positive feedback! ✔
☆ Community Rising Star 22, 23 & 24 ☆
0 Helpfuls

Aditya_hublikar
Kilo Sage

3 weeks ago

Hello @spandanam ,

 

As per your question i created 2 acls :

 

ACL 1 :

Read Access,table.none,Role:Role1

 

ACL2:

Read Access,Table.none, advanced checked,

In script : if(gs.getUser().hasRole('Role1'))

{

 answer=false;

}

 

adityahubli_1-1770136311632.png

 

adityahubli_0-1770136282613.png

 

Still user with Role A has read access  , here it works like 

TRUE + FALSE = TRUE (Access Granted)
FALSE + FALSE = FALSE (Access Denied)

 

If this helps you then mark it as helpful and accept as solution.

Regards,

Aditya

 

0 Helpfuls

yashkamde
Kilo Sage

3 weeks ago

Hello @spandanam ,

I tried this on my personal pdi, their I can see as below

-> I created this two acl and theirI assign same roles and condition..

Screenshot 2026-02-03 220820.png

 

 

-> After that I observed that one ACL that allowing a user to edit a field is getting the priority. Although in some cases their may be ambiguity depending upon the conditons and also other configurations conflict..

 

Screenshot 2026-02-03 220739.png

 

If my response helped mark as helpful and accept the solution.

0 Helpfuls

lauri457
Tera Sage

3 weeks ago

You need to pass one allow if acl to have access. For deny unless you need to pass all to have access, but you also need to pass the allow if acl if there are any.

 

Think of allow if acls as a list of who are allowed to do something not who is denied doing something. The default is or should be deny (sysprop glide.sm.default_mode). 

0 Helpfuls