One ACL making field read only and other making field editable on form , which one will apply ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2025 09:40 PM
Hi Community,
Can anyone explain above scenario?
Is there any order or logic which applies while evaluating this kind of scenarios?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2025 10:17 PM - edited 05-23-2025 10:17 PM
Hello @KS86 ,
It depends on the configuration of your ACLs, and the current user.
Write ACLs make a field editable when the current user passes the condition/role/script check defined in the ACL.
If you have multiple write ACLs for the same field and the user passes at least one of them the the field will be editable, else it will be read-only.
It gets more complex if you have a combination of "Deny unless" and "Allow if" ACLs involved. If the user does not pass the "Deny unless" ACL then the "Allow if" ACL won't be checked.
These are the general rules. If you can share screen shots of your two ACLs you can get a more precise answer.
Regards,
Robert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2025 12:04 AM
Hi @KS86
There isn't a specific ACL to make fields read-only.
If the currently logged-in user meets the field-level write/create ACL (for new records), they can edit the field. Otherwise, the field remains read-only.
Additionally, "Deny-Unless" type ACLs take precedence over "Allow If" type ACLs. Therefore, if a "Deny Unless" ACL has been configured, users must satisfy its conditions to gain access.
Hope this helps.
Regards,
Siva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2025 02:22 AM
User will be able to edit field if they qualify at least one ACL even though other ACLs restrict.
Hope the above answer should solve your query.
If not, please explain clearly on what do you mean by making field ReadOnly via ACL?
Accept the solution and mark as helpful if it does, to benefit future readers.
Regards,
Sumanth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-09-2025 03:41 PM
Does a Deny-Unless * ACL apply before a Grant incident.* ACL? In other words, are all Deny ACLs evaluated first, regardless of precedence, before any Grant ACL is evaluated? I can find any statement in the Docs that clearly says whether the order is per precedence level vs. all first. A bunch of half-complete statements. Sigh.
I am guessing that, in my example, the Deny-Unless ACL does win. Not because ServiceNow docs came out and said so. ServiceNow search sucks, but even Google advanced search terms aren't helping me here. They they mention that access has to be granted by a grant ACL after ALL Deny rules are satisfied. So all the Deny rules have to be evaluated before any grant rule. I just wish I could find a single clear and absolute statement.
