Record vs table level acls when script attached

EshikaAgrawal
ServiceNow Employee
ServiceNow Employee

‎07-17-2025 06:42 AM

Screenshot 2025-07-17 at 7.11.54 PM.png

I have the following ACL script on the sectest table(inside 1st row acl in above image for the read operation):

 

 

var user = gs.getUser(); if (user.hasRole("sn_cmp.cloud_service_designer") || current.sys_created_by == gs.getUserName() || user.hasRole("sn_cmp.cloud_governor") || user.hasRole("sn_cmp.cloud_admin") || user.hasRole("sn_cmp.cloud_operator") || current.isNewRecord()) answer = true; else answer = new CMPCheckPermission().checkPermission(current.getTableName(), current.getValue("sys_id"), gs.getUserID(), "read");

 

 

Since this script uses current, I understand it functions as a record-level ACL. However, I would like to confirm whether this can also be considered applicable at the table level, or if the presence of current strictly makes it record-level only.

Now consider the following Java logic:

 GlideRecord opSignatureGlide = new GlideRecord("sectest");

if (!opSignatureGlide.canRead())

{ AccessErrorHelper.throwAccessError(fLogger, AccessErrorHelper.OperationType.READ); } opSignatureGlide.addQuery("name", opSignatureName);

opSignatureGlide.query();

while (opSignatureGlide.next()) {

if (fLogger.isDebugEnabled()) fLogger.debug("Glide record for operation signature exists with name: " + opSignatureName); operationSignatureDTO = convertGlideRecordToOpSignatureDTO(opSignatureGlide); }

 

My concern is that since the only ACL on the table is the record-level ACL that uses current, calling canRead() before the loop may not behave as expected.

I understand that canRead() evaluated before next() only checks for table-level ACLs. And since there is no explicit table-level ACL defined (no ACL with name .*), this check might return false even though the user has record-level access due to the script.

Therefore, should I avoid using canRead() before the query loop in such a scenario?

Would it be correct to say that a record-level ACL using current does not replace a proper table-level ACL, and that if no table-level ACL exists, then canRead() should not be used before the loop?

Let me know if this understanding is correct. 

And if record is defined in my acl then where to define table level acl? how to distinguish?

0 Helpfuls
  • 765 Views
9 REPLIES 9

J Siva
Tera Sage

‎07-17-2025 07:01 AM

Hi @EshikaAgrawal 

As far as I know, both table-level and record-level ACLs function similarly. There’s no such thing as an explicit table-level ACL. Setting table.none will validate access on each individual record. In the list view, it applies to all records, but only those the user is authorized to access will be displayed.

Regards,

Siva

0 Helpfuls

EshikaAgrawal
ServiceNow Employee
ServiceNow Employee
In response to J Siva

‎07-17-2025 07:12 AM

if i use gr.canRead before while loop and as mentioned script is attached which uses current then will it give unpredictable result as current not yet loaded?

0 Helpfuls

J Siva
Tera Sage
In response to EshikaAgrawal

‎07-17-2025 07:20 AM

@EshikaAgrawal 

May I know where you are using this Java logic??

0 Helpfuls

EshikaAgrawal
ServiceNow Employee
ServiceNow Employee
In response to J Siva

‎07-17-2025 07:33 AM

@J Siva 

means?

I am using in my code which gets triggered by an action 

 

GlideRecord opSignatureGlide = new GlideRecord("sectest");

if (!opSignatureGlide.canRead())

{ AccessErrorHelper.throwAccessError(fLogger, AccessErrorHelper.OperationType.READ); } opSignatureGlide.addQuery("name", opSignatureName);

opSignatureGlide.query();

while (opSignatureGlide.next()) {

if (fLogger.isDebugEnabled()) fLogger.debug("Glide record for operation signature exists with name: " + opSignatureName); operationSignatureDTO = convertGlideRecordToOpSignatureDTO(opSignatureGlide); }

 

0 Helpfuls