- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 12:23 AM
When both field-level and table-level ACLs exist in ServiceNow, how does the platform decide which one to apply? Which one takes priority, and what's the logic behind that?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 04:40 AM
In ServiceNow, the most restrictive ACL wins. The platform checks access in this order:
Field-level ACL (most specific)
Table.field (wildcard)
Table-level ACL (least specific)
So if any field-level ACL denies access—even if the table-level allows—it will block the field. ✅ Yes, 100% confirmed — this is how ACL evaluation logic works in ServiceNow.
Tip: Use the Security Debug tool to see exactly which ACLs are evaluated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 12:29 AM
Hi @vikramkehar
Order of Evaluation for ACLs
The order in which ACLs are evaluated in ServiceNow follows a specific hierarchy and is crucial to understanding how access is granted or denied. Here’s the basic order of evaluation:
- Table-level ACL Evaluation: The system first checks for ACLs on the entire table.
- Record-level ACL Evaluation: After the table ACLs, the system evaluates record-specific ACLs.
- Field-level ACL Evaluation: Finally, the system checks the field-specific ACLs for any restrictions on individual fields.
The evaluation order is as follows:
- First, the Table ACLs are checked to determine whether the user has the required permissions on the table.
- Then, the Record ACLs are evaluated to determine if the user can access the specific record.
- Finally, the Field ACLs are evaluated for access to individual fields within the record.
It’s important to note that multiple ACLs can be applied to the same resource (e.g., a record or field). The access control rules are combined, and if any ACL denies access, the user will be denied access to that resource.
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 04:40 AM
In ServiceNow, the most restrictive ACL wins. The platform checks access in this order:
Field-level ACL (most specific)
Table.field (wildcard)
Table-level ACL (least specific)
So if any field-level ACL denies access—even if the table-level allows—it will block the field. ✅ Yes, 100% confirmed — this is how ACL evaluation logic works in ServiceNow.
Tip: Use the Security Debug tool to see exactly which ACLs are evaluated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 05:30 AM
@garimakharb I would like to comment on the 2 - wildcard in ACL is something a little bit different.
- table.field > incident.short_description
- you specify the access to this particular field
- wildcard > incident.*
- it will be applied to ALL THE FIELDS THAT ARE NOT EXPLICITLY DEFINED
- in this case all the fields except of short description, because incident.short_description exists
- it will be applied to ALL THE FIELDS THAT ARE NOT EXPLICITLY DEFINED
@vikramkehar FYI there was incorrect detail and this is very important difference, be careful about it
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */
