sergiu_panaite
ServiceNow Employee

‎06-04-2025 01:02 AM

Can you clarify this "I am using an ACL to deny access if the user has the itil_limited role, but it’s not working for the user table." vs "but since the condition is always false, it effectively blocks them."

Didn't you wanted to deny them access to the sys_user table?

0 Helpfuls

Tai Vu
Kilo Patron

‎06-04-2025 02:53 AM

Hey @symonflores_23 

If you want to restrict users with the itil_limited role from accessing the User [sys_user] table, you should consider creating a deny-unless ACL that explicitly blocks access for that role.

 

Your current ACL condition (User ID is 0) is technically always false. Still, ServiceNow's ACL evaluation logic considers all matching ACLs for a given operation, and if there's another ACL (like one requiring itil or a general read access), it might still allow access.

 

Let's try to change the Decision Type from "Allow if" to "Deny Unless" and remove the condition.

Check this out => Deny-Unless ACL

 

Cheers,

Tai Vu

snehareddym
Tera Guru

‎06-04-2025 03:43 AM

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".comm1.pngcomm2.png

  • When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

  • When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In this scenario, to restrict users with the 'itil_limited' role from accessing the User (sys_user) table.

 

This script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.

snehareddym
Tera Guru

‎06-04-2025 03:48 AM

comm1.pngcomm2.png

 

 

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".

  • When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

  • When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In ths scenario, to restrict users with the itil_limited role from accessing the User (sys_user) table.

The script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.

View solution in original post

snehareddym
Tera Guru

‎06-04-2025 03:52 AM

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".

When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In this scenario,to restrict users with the itil_limited role from accessing the User (sys_user) table. The script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.

Preview file
67 KB
Preview file
72 KB
0 Helpfuls