The CreatorCon Call for Content is officially open! Get started here.

Why does system grant access if no ACL found?

Go to solution
Singularity
Tera Expert

‎12-18-2022 07:18 AM

Hi,

 

Found this on product documentation for ACL: Note: If there are no matching access control rules for the requested object and operation, then the system grants the user access to it. In practice, it is rare for the system to find no matching rules because the system has a set of default access control rules that protect all record operations.

 

Why is this the case? I assumed that access control rules are meant to enable a given audience to do something - by default no access, and you may grant access through rules - and if no rule is found for something, access would be denied.

 

It seems the other way around however, if I understand this correctly... You get access to everything by default, unless it is restricted through a rule. I was a bit surprised to read this, would it not be safer to deny access in case no rules are found?

0 Helpfuls
  • 2,210 Views
1 ACCEPTED SOLUTION

Go to solution
Arav
Tera Guru

‎12-18-2022 07:25 AM

Hi,

 

This behavior is controlled by property "glide.sm.default_mode".

 

There are wildcard table rules built into the system to provide access when specific table ACLs are not found.

 

For more details on this, you may want to start with the link below.

 

https://docs.servicenow.com/en-US/bundle/tokyo-platform-administration/page/administer/security/conc...

 

Thanks,

Arav

View solution in original post

5 REPLIES 5

Go to solution
GetS
Tera Contributor

‎11-30-2024 01:18 PM

Update... I was able to locate this singular reference that indicates that the Default Deny property is applied in both of these situations; 1) Wildcard Tables ACLs are matched, and 2) in the absence of ANY ACLs matching see here https://www.servicenow.com/docs/bundle/utah-platform-security/page/administer/security/reference/r_G.... That link is the only place I have found where it is stated that if no ACLs are found on a table then the Default Deny property is applied. When it says "in the absence of any ACLs on a table" I think it means if no ACLs are matched when trying to access the table i.e. an attempt to match the Parent table ACLs and wildcard table ACLS with no luck, which is the case in my example above.

0 Helpfuls