Difference betweem ACL * and ACL none ?

rambo1
Tera Guru

Please explain difference between ACL * and ACL none ? 

5 REPLIES 5

arielgritti
Mega Sage

Hello

Maybe this can help you.

In the "Developer" Site you can find a course with a great explanation about the use of ACL * and ACL none

 

https://developer.servicenow.com/app.do#!/lp/new_to_servicenow/app_store_learnv2_securingapps_kingston_to_or_not_to?v=kingston

 

Here is the explanation from "Developer" Site with the example

 

To * or Not to *

The Name field in an Access Control specifies the table records to protect and a field to protect. The field list has a –None– option and a * option.

Field Access Control

 

  • –None–: Grant access to records and all fields in the records.
  • *: Grant access to all fields where there is no field-specific Access Control.

At first glance, –None– and * seem to grant the same thing: access to all fields on a record. To tell the difference in behavior, you need to see how –None– and * work together and with other Access Controls.

Demonstration Setup

The examples use an application called Generic that has a single table called Table. Table has five columns: Field 1, Field 2, Field 3, Field 4, and Field 5.

There are five fields on the Table table

 

The application has two roles:

  • x_58872_generic.admin, assigned to Fred Luddy
  • x_58872_generic.table_user, assigned to Beth Anglin

    The Generic application has a table and two roles.

–None– without *

Examine the two read Access Controls. Pay attention to the field value and the roles. The screenshots have been edited to show only the pertinent parts of the Access Control.

The None Access Control for admin and table_user

The Field 3 Access Control for admin

 

Using this Access Control List (ACL), Fred can see:

Fred can see all rows all fields

 

Using this ACL, Beth can see:

Beth cannot see Field 3

 

How does this work?

  • The None Access Control granted all rows and all fields to both Fred and Beth.
  • The Field 3 Access Control granted Field 3 access to Fred. Giving Field 3 explicitly to Fred removed Field 3 access from Beth even though she was granted Field 3 access by the None Access Control.

–None– with *

Examine the three read Access Controls. Pay attention to the field value and the roles. The screenshots have been edited to show only the pertinent parts of the Access Control.

None for table_user and admin

Star for admin

Field 3 for table_user

 

Using this ACL, Fred can see:

Fred can see all fields and all rows

 

Using this ACL, Beth can see:

Beth can see only Field 3

 

How does this work?

  • The None Access Control granted all rows and all fields to both Fred and Beth.
  • The * Access Control granted all rows and all fields to Fred. It seems redundant to have this Access Control because Fred already had access to all rows and all fields. The purpose of this Access Control is to deny access to all other roles, even roles granted permission by the None Access Control.
  • The Field 3 Access Control explicitly gives Beth access to Field 3 even though Beth was denied access to Field 3 by the * Access Control. Field-specific Access Controls take precedence over * Access Controls.

Conclusions

You cannot write * Access Controls without None because only None grants access to records.

When writing an ACL that mostly grants access, use only None.

When writing an ACL that mostly denies access, use None and *.

 

Please, mark correct or useful if i helped you

Thanks

Ariel

Hi rambo,

 

please go through following link,

 

https://community.servicenow.com/community?id=community_question&sys_id=562b87eddb5cdbc01dcaf3231f96...

 

https://community.servicenow.com/community?id=community_question&sys_id=bf1a8b69db5cdbc01dcaf3231f96...

 

which gives you idea and also explanation.

 

if useful mark as correct or helpful.

 

 

 

Regards,

Varsha

 

 

Finally found a clear answer with examples that makes sense instead of quoting docs. Thanks a lot.

I'm not sure that last part was ever correct, or if it has just changed... but just so everyone knows (if you google across this thread like I did), if Field 3 has a rule for generic table user, then generic admin's view of the columns are as such. Generic admin will NOT be able to see Field 3:

find_real_file.png

 How does this work?

  • The table.None read ACL gives read access to the records in the table to Beth and Fred
  • The table.* read ACL for Fred gives access to all fields for generic admin and excludes users with all other roles
  • The table.Field 3 read ACL gives access to Field 3 to Beth, but not Fred, even though Fred has table.* access. Remember: table.* applies to every field on the record where there is no field-specific ACL.
  • As shown, read access to Field 3 is denied to ALL USERS except those with generic table user role

Another view of the same:
find_real_file.png