So what you need is a row-level write ACL.

To get row-level write access it suffices if any row-level write ACL matches.

That means if you further want to restrict the access you have to modify every row-level write ACL for that table and add the condition.

Let's say we have the following two ACLs:

1. you get access if you opened the record
   
2. you get access if you have the itil role
   

If you want to add the restriction that the record should still be active you have to modify each of these rules. The result should then look like this:

1. you get access if you opened the record and the record is active
   
2. you get access if you have the itil role and the record is active
   

If you instead add a new ACL then the result will be that everyone has access to active records. So the following would be wrong:

1. you get access if you opened the record
   
2. you get access if you have the itil role
   
3. you get access if the record is active
   

To put it into terms of logic, every ACL on the same level is joined with an OR. If you want to implement a logical AND then you have to modify all ACLs on the same level.

Also have a look into the Wiki: http://wiki.servicenow.com/index.php?title=Using_Access_Control_Rules
That page was much improved end of last year and makes the evaluation of ACLs more clear now.