Deny Unless ACL on field Level is not working as expected in scoped application
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-03-2025 11:00 AM - edited 01-20-2025 06:32 AM
To explore the Deny Unless ACL I've tried the below scenario in my PDI
- I have created a new field 'External ID' in the HR Case (sn_hr_core_case) table.
- I have created one 'Allow If' ACL and one 'Deny Unless' ACL for the new field as below:
'Allow If' ACL:
'Deny Unless' ACL:
sn_hr_core.external_id_viewer - This is the custom role which I have created - To test this ACL I have taken two users
- Roger Seid - Has 'sn_hr_core.case_reader'
- Rosalie Krigger - Has 'sn_hr_core.case_reader' and 'sn_hr_core.external_id_viewer'.
My expectation was Roger should not see the field, since Roger didn't have the 'sn_hr_core.external_id_viewer' the 'Deny Unless' ACL is evaluated to false and denied the access. - This is working as expected.
In the other hand, Rosalie should see the 'External ID' field because Rosalie has 'sn_hr_core.external_id_viewer' role which helps to pass the 'Deny Unless' ACL, then Rosalie has also 'sn_hr_core.case_reader' role which helps to pass the 'Allow if' ACL to give read access to the 'External ID' field. - This is not working as expected.
Rosalie is able to see only 'External ID' column in the list view but values are not visible. Additionally in the form, the field itself is not visible.
As I mentioned earlier, I have only two ACLs for this field
When I tried checking using Access Analyzer, I can see the table ACL itself is getting skipped.
I tried the same scenario in change request table which is global application, where it worked. But in the scoped application Human Resource: Core it didn't work.
Appreciate any help !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2025 12:10 AM
Hi @Praveen0708 ,
Only 1st ACl is required, it will take care of else part.
-------------------------------------------------------------------------
If you found my response helpful, please consider selecting "Accept as Solution" and marking it as "Helpful." This not only supports me but also benefits the community.
Regards
Runjay Patel - ServiceNow Solution Architect
YouTube: https://www.youtube.com/@RunjayP
LinkedIn: https://www.linkedin.com/in/runjay
-------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2025 02:15 AM - edited 01-17-2025 02:16 AM
In your post, you mention giving Rosalie the role "sn_hr_core.profile_reader", but the Allow ACL you configured is for the role "sn_hr_core.case_reader".
Was that just a typo, or is case_reader included in profile_reader (I'm not familiar with the role structure of HR)? Because if not, that would certainly explain the behaviour.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2025 07:33 AM
Hi @Max Nowak, Thanks for pointing it out. Yes, it was typo. I've corrected it now.
- Roger Seid - Has 'sn_hr_core.case_reader'
- Rosalie Krigger - Has 'sn_hr_core.case_reader' and 'sn_hr_core.external_id_viewer'.