- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2022 07:18 AM
Hi,
Found this on product documentation for ACL: Note: If there are no matching access control rules for the requested object and operation, then the system grants the user access to it. In practice, it is rare for the system to find no matching rules because the system has a set of default access control rules that protect all record operations.
Why is this the case? I assumed that access control rules are meant to enable a given audience to do something - by default no access, and you may grant access through rules - and if no rule is found for something, access would be denied.
It seems the other way around however, if I understand this correctly... You get access to everything by default, unless it is restricted through a rule. I was a bit surprised to read this, would it not be safer to deny access in case no rules are found?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2022 07:25 AM
Hi,
This behavior is controlled by property "glide.sm.default_mode".
There are wildcard table rules built into the system to provide access when specific table ACLs are not found.
For more details on this, you may want to start with the link below.
Thanks,
Arav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2022 07:25 AM
Hi,
This behavior is controlled by property "glide.sm.default_mode".
There are wildcard table rules built into the system to provide access when specific table ACLs are not found.
For more details on this, you may want to start with the link below.
Thanks,
Arav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2022 07:33 AM
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2023 09:40 AM
How amazing would it be if we *didn't* have to reverse engineer every URL posted here.
ServiceNow, what's is your issue with easy access to permalinks?
https://docs.servicenow.com/csh?topicname=c_DefaultDenyProperty.html&version=latest
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2024 06:49 PM
I believe that ServiceNow has changed the way this operates now, and if there are NO ACLs that match, including wildcard ACLs then the Platform DENIES access. This is contrary to what I have seen written, but this is I believe the correct answer to Singularity's question (above), at least at the time of writing Nov 2024. I have tested in a PID, where there are no Active *, *.*, *.short_description, task.short_description or u_information.short_description read ACLs and a user is DENIED access to read the Short Description. (u_information is a custom table in my PID used for testing). My understanding is that as of Xanadu at least, if the platform can find no matching ACLs whatsoever, then access is DENIED. Obviously in a Production instance this is unlikely to ever occur but I think it is the correct answer to the question asked.
Note, this is not relying on the Default Deny property (as far as I can tell ), as none of the wildcard ACLs are active.
The attached image from SN docs seems to indicate that the user will be granted access if no ACLs are matched, but I don't see that in my PID.
