Order of execution of an ACL

Community Alums · ‎07-05-2017

As per Serviccenow Wiki, the ACL is executed in the below order:

The condition must evaluate to true.
The script must evaluate to true or return an answer variable with the value of true.
The user must have one of the roles in the required roles list. If the list is empty, this condition evaluates to true.
[Record ACL rules only] The matching table-level and field-level ACL rules must both evaluate to true.

However in the screenshot attached, the role of the user is first checked and then the condition.

Could you please let me know the exact sequence.

Thank You

Chuck Tomasi · ‎07-05-2017

The sequence is ROLES first, then condition, then script. Roles are cached so it's always more efficient to use roles whenever possible.

Docs: Access control rules

Docs: Contextual security

Security Best Practices - ServiceNow Wiki

View solution in original post

Anurag Tripathi · ‎07-05-2017

How does the order matter if all the 3 parms (if used) need to be true for the ACL to return true??

-Anurag

James Fricker · ‎12-12-2024

It matters because of performance (speed of evaluation). If you don't have the role then the condition and script do not need to be evaluated, and so the ACL is faster to evaluate than evaluating all 3 parts.

Chuck Tomasi · ‎07-05-2017

The sequence is ROLES first, then condition, then script. Roles are cached so it's always more efficient to use roles whenever possible.

Docs: Access control rules

Docs: Contextual security

Security Best Practices - ServiceNow Wiki

Paul Okware · ‎12-08-2023

https://developer.servicenow.com/dev.do#!/learn/learning-plans/utah/new_to_servicenow/app_store_lear...