- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 12:23 AM
When both field-level and table-level ACLs exist in ServiceNow, how does the platform decide which one to apply? Which one takes priority, and what's the logic behind that?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 04:40 AM
In ServiceNow, the most restrictive ACL wins. The platform checks access in this order:
Field-level ACL (most specific)
Table.field (wildcard)
Table-level ACL (least specific)
So if any field-level ACL denies access—even if the table-level allows—it will block the field. ✅ Yes, 100% confirmed — this is how ACL evaluation logic works in ServiceNow.
Tip: Use the Security Debug tool to see exactly which ACLs are evaluated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 12:29 AM
Hi @vikramkehar
Order of Evaluation for ACLs
The order in which ACLs are evaluated in ServiceNow follows a specific hierarchy and is crucial to understanding how access is granted or denied. Here’s the basic order of evaluation:
- Table-level ACL Evaluation: The system first checks for ACLs on the entire table.
- Record-level ACL Evaluation: After the table ACLs, the system evaluates record-specific ACLs.
- Field-level ACL Evaluation: Finally, the system checks the field-specific ACLs for any restrictions on individual fields.
The evaluation order is as follows:
- First, the Table ACLs are checked to determine whether the user has the required permissions on the table.
- Then, the Record ACLs are evaluated to determine if the user can access the specific record.
- Finally, the Field ACLs are evaluated for access to individual fields within the record.
It’s important to note that multiple ACLs can be applied to the same resource (e.g., a record or field). The access control rules are combined, and if any ACL denies access, the user will be denied access to that resource.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 04:40 AM
In ServiceNow, the most restrictive ACL wins. The platform checks access in this order:
Field-level ACL (most specific)
Table.field (wildcard)
Table-level ACL (least specific)
So if any field-level ACL denies access—even if the table-level allows—it will block the field. ✅ Yes, 100% confirmed — this is how ACL evaluation logic works in ServiceNow.
Tip: Use the Security Debug tool to see exactly which ACLs are evaluated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2025 05:30 AM
@garimakharb I would like to comment on the 2 - wildcard in ACL is something a little bit different.
- table.field > incident.short_description
- you specify the access to this particular field
- wildcard > incident.*
- it will be applied to ALL THE FIELDS THAT ARE NOT EXPLICITLY DEFINED
- in this case all the fields except of short description, because incident.short_description exists
- it will be applied to ALL THE FIELDS THAT ARE NOT EXPLICITLY DEFINED
@vikramkehar FYI there was incorrect detail and this is very important difference, be careful about it
100 % GlideFather experience and 0 % generative AI
