Difference betweem ACL * and ACL none ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2018 05:40 AM
Please explain difference between ACL * and ACL none ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2018 05:45 AM
Hello
Maybe this can help you.
In the "Developer" Site you can find a course with a great explanation about the use of ACL * and ACL none
https://developer.servicenow.com/app.do#!/lp/new_to_servicenow/app_store_learnv2_securingapps_kingston_to_or_not_to?v=kingston
Here is the explanation from "Developer" Site with the example
To * or Not to *
The Name field in an Access Control specifies the table records to protect and a field to protect. The field list has a –None– option and a * option.
- –None–: Grant access to records and all fields in the records.
- *: Grant access to all fields where there is no field-specific Access Control.
At first glance, –None– and * seem to grant the same thing: access to all fields on a record. To tell the difference in behavior, you need to see how –None– and * work together and with other Access Controls.
Demonstration Setup
The examples use an application called Generic that has a single table called Table. Table has five columns: Field 1, Field 2, Field 3, Field 4, and Field 5.
The application has two roles:
- x_58872_generic.admin, assigned to Fred Luddy
- x_58872_generic.table_user, assigned to Beth Anglin
–None– without *
Examine the two read Access Controls. Pay attention to the field value and the roles. The screenshots have been edited to show only the pertinent parts of the Access Control.
Using this Access Control List (ACL), Fred can see:
Using this ACL, Beth can see:
How does this work?
- The None Access Control granted all rows and all fields to both Fred and Beth.
- The Field 3 Access Control granted Field 3 access to Fred. Giving Field 3 explicitly to Fred removed Field 3 access from Beth even though she was granted Field 3 access by the None Access Control.
–None– with *
Examine the three read Access Controls. Pay attention to the field value and the roles. The screenshots have been edited to show only the pertinent parts of the Access Control.
Using this ACL, Fred can see:
Using this ACL, Beth can see:
How does this work?
- The None Access Control granted all rows and all fields to both Fred and Beth.
- The * Access Control granted all rows and all fields to Fred. It seems redundant to have this Access Control because Fred already had access to all rows and all fields. The purpose of this Access Control is to deny access to all other roles, even roles granted permission by the None Access Control.
- The Field 3 Access Control explicitly gives Beth access to Field 3 even though Beth was denied access to Field 3 by the * Access Control. Field-specific Access Controls take precedence over * Access Controls.
Conclusions
You cannot write * Access Controls without None because only None grants access to records.
When writing an ACL that mostly grants access, use only None.
When writing an ACL that mostly denies access, use None and *.
Please, mark correct or useful if i helped you
Thanks
Ariel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2018 05:49 AM
Hi rambo,
please go through following link,
which gives you idea and also explanation.
if useful mark as correct or helpful.
Regards,
Varsha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2021 08:46 PM
Finally found a clear answer with examples that makes sense instead of quoting docs. Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2022 04:01 PM
I'm not sure that last part was ever correct, or if it has just changed... but just so everyone knows (if you google across this thread like I did), if Field 3 has a rule for generic table user, then generic admin's view of the columns are as such. Generic admin will NOT be able to see Field 3:
How does this work?
- The table.None read ACL gives read access to the records in the table to Beth and Fred
- The table.* read ACL for Fred gives access to all fields for generic admin and excludes users with all other roles
- The table.Field 3 read ACL gives access to Field 3 to Beth, but not Fred, even though Fred has table.* access. Remember: table.* applies to every field on the record where there is no field-specific ACL.
- As shown, read access to Field 3 is denied to ALL USERS except those with generic table user role
Another view of the same: