Deny Unless ACL on field Level is not working as expected in scoped application

Praveen0708
Tera Contributor

 

To explore the Deny Unless ACL I've tried the below scenario in my PDI

  1. I have created a new field 'External ID' in the HR Case (sn_hr_core_case) table.
    image.png
  2. I have created one 'Allow If' ACL and one 'Deny Unless' ACL for the new field as below:
    'Allow If' ACL:
    Praveen0708_0-1735926463612.png

    'Deny Unless' ACL:

    Praveen0708_2-1735926660980.png


    sn_hr_core.external_id_viewer - This is the custom role which I have created

    Praveen0708_3-1735926838969.png

     

  3. To test this ACL I have taken two users
    1. Roger Seid - Has 'sn_hr_core.case_reader' 
    2. Rosalie Krigger - Has 'sn_hr_core.case_reader' and 'sn_hr_core.external_id_viewer'.

My expectation was Roger should not see the field, since Roger didn't have the 'sn_hr_core.external_id_viewer' the 'Deny Unless' ACL is evaluated to false and denied the access. - This is working as expected.

 

In the other hand, Rosalie should see the 'External ID' field because Rosalie has 'sn_hr_core.external_id_viewer' role which helps to pass the 'Deny Unless' ACL, then Rosalie has also 'sn_hr_core.case_reader' role which helps to pass the 'Allow if' ACL to give read access to the 'External ID' field. - This is not working as expected.

 

Rosalie is able to see only 'External ID' column in the list view but values are not visible. Additionally in the form, the field itself is not visible.

 

Praveen0708_0-1735929181866.png

As I mentioned earlier, I have only two ACLs for this field

Praveen0708_1-1735929745581.png

 

When I tried checking using Access Analyzer, I can see the table ACL itself is getting skipped. 

Praveen0708_2-1735930538163.png

I tried the same scenario in change request table which is global application, where it worked. But in the scoped application Human Resource: Core it didn't work.

Appreciate any help !

3 REPLIES 3

Runjay Patel
Giga Sage

Hi @Praveen0708 ,

 

Only 1st ACl is required, it will take care of else part.

 

-------------------------------------------------------------------------

If you found my response helpful, please consider selecting "Accept as Solution" and marking it as "Helpful." This not only supports me but also benefits the community.


Regards
Runjay Patel - ServiceNow Solution Architect
YouTube: https://www.youtube.com/@RunjayP
LinkedIn: https://www.linkedin.com/in/runjay

-------------------------------------------------------------------------

 

Max Nowak
Kilo Sage

In your post, you mention giving Rosalie the role "sn_hr_core.profile_reader", but the Allow ACL you configured is for the role "sn_hr_core.case_reader".

 

Was that just a typo, or is case_reader included in profile_reader (I'm not familiar with the role structure of HR)? Because if not, that would certainly explain the behaviour.

Hi @Max Nowak, Thanks for pointing it out. Yes, it was typo. I've corrected it now.

  1. Roger Seid - Has 'sn_hr_core.case_reader' 
  2. Rosalie Krigger - Has 'sn_hr_core.case_reader' and 'sn_hr_core.external_id_viewer'.