Scoped Application ACL issues with table wildcard rule

emyrold · ‎02-01-2016

I am having difficulty figuring out how to setup my ACLs on a custom app I'm building. In section 2.2, sixth bullet down Using Access Control Rules - ServiceNow Wiki

It says you can only create table wildcard rules in the global scope.

I have created a custom table in a scoped app:

release_task extended from task

I have 15 or so fields some from task and some new directly on the table. I mostly wanted the fields ready only except for a couple fields I wanted open.

I intended to create one release_task.* (table wildcard write rule) to make all fields read only except for admin. then create a few release_task.fieldname write rules with no roles to open them up.

When I turn on Security debug and impersonate a non-admin user, the field-level rule show as being "Not Evaluated" see attached screen shot.

Any suggestions?

srinivasthelu · ‎02-01-2016

Hi Emrold,

Yes. Wiki says

Field ACL rules are processed in the following order:

Match the table and field name. For example, incident.number.
Match the parent table and field name. For example, task.number.
Match any table (wildcard) and field name. For example, *.number.
Match the table and any field (wildcard). For example, incident.*.
Match the parent table and any field (wildcard). For example, task.*.
Match any table (wildcard) and any field (wildcard). For example, *.*.

The first matching evaluation stops ACL rule processing at that field level. This means that when a user passes or fails a field ACL rule, the system stops searching for matching field ACL rules below that level.

So, that means, table.* is overruled by parentTable.field. I believe that is what happening in your case. If so you would need to create additional table.* acls

Hope this helps.

Cheers

Srini

Please mark this as helpful/correct answer if it does so.

View solution in original post

srinivasthelu · ‎02-01-2016

Hi Emyrold,

By looking at the screenshot, I think the end user wont have table level access itself.

Users needs satisfy at least one table acl(table.none) to gain access to any fields.

Thanks

Srini

emyrold · ‎02-01-2016

Hi Srini,

Don't know how I missed that, could have swore I opened up table.none. Anyway, thanks that did it. I have a second question. So the write ACLs: Table.none (open), Table.* (role=admin) and Table.fieldName (no roles) seems to be working as expected with the exception of Fields that come down from the base table task.

So does the Table.* only apply to fields created on the extended table? Because I explicitly only opened up four fields: customer, short description, description (story), Acceptance Criteria (tests), however assigned_to, Story Conversation (comments), state and priority are all writable for the non-admin user. See attached screen shot.

Mike Allen · ‎02-01-2016

When I did this recently, I had to explicitly name fields that were inherited from task in their own ACL rules, so release_task.short_description, for example, needed its own ACL.

emyrold · ‎02-01-2016

Hi Mike,

short_description is supposed to be open, it is: assigned_to, Story Conversation (comments), state and priority that are all writable for the non-admin user and I thought the Table.* rule should have made those read only.

are you saying I will need to create additional ACLs for those that were not made read only by the start rule?

If so, then does the star rule behave differently on extended tables within the context of Scoped Application versus in the Global scope?