Which is the best practice about ACL, creating new one or edit existing one?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago
Hi All,
We have one Custom coded ACL that ACL conditions we are not going to use in future .
so let me know best practice things here
deactivate current acL and create new ACL with new conditions is good practice ? OR
update Current ACL with new code conditions is good Practice ?
which is best in Practice.??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago
Best practice is to create new ACLs when needed and not update out of box ACLs so that it is easier to track it in future. Over a period of time when you have multiple changes to track, any customizations done to the out of box ACLs can be hard to track whereas new ACLs created can be located easily.
If you do not want to use out of box ACL(s), disable them and create new ACL(s) as per your requirements.
If this helped to answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 hours ago
Hi
my Existing ACL is NOT OOB ACL, it is fully custom created ACL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 hours ago
If it is a custom ACL and you are not going to use it in future, you can edit the ACL and use it or make it inactive and create new ACL.
It is not about best practices if both are custom ACLs rather ease of management. I would recommend to keep existing ACL as inactive and create new ACL so that in case if you need to refer the ACL in future, you can revisit and use if needed.
If this helped to answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago - last edited 7 hours ago
Hi chanikya,
Excellent question. The best practice in this scenario is to deactivate the old ACL and create a new one with the updated conditions. Here’s why:
Deactivate Old ACL + Create New One (Recommended)
Clear Audit Trail:
Keeping the original ACL (even deactivated) preserves history. You can always see what the old rule was, why it was changed, and who changed it.Reduce Risk:
Modifying an existing ACL in production can accidentally break access for users if there’s an error in the new script/condition. Deactivating the old rule and testing a new one is safer.Version Control & Compliance:
Many compliance frameworks require keeping a record of security changes. Deactivating rather than deleting helps meet these requirements.
Why Editing Existing ACLs Is Risky
No History:
If you overwrite the existing ACL, you lose the original condition logic. This can make troubleshooting and auditing difficult.Human Error:
Accidentally introducing syntax errors or logic flaws while editing can cause unexpected access issues.
Steps to Follow
Deactivate the old ACL (do not delete it).
Create a new ACL with the updated conditions.
Test thoroughly in a sub-production instance.
Document the change in the ACL description (e.g., “Replaced deprecated condition [Date]”).
This approach is aligned with ServiceNow’s governance and security best practices.
Hope this helps!
Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it helpful & accept the solution so others can benefit as well.
