Why field level ACL is getting skipped?

Vasu ch
Kilo Sage

‎10-15-2024 06:02 AM

Hi,

Some users in my instances are unable to access some fields in the interaction table. When I checked it using access analyzer I see the field level ACLs are not getting evaluated. It just checks the row level ACL and that's it. And I see some users are able to pass the field level ACL which is as expected. Can anyone please tell me what is going wrong? 

 

Vasuch_0-1728996806983.png

 

One more thing I observed is the interaction record is getting created in Advanced work assignment for HRSM scope but the field level ACLs are in global scope. Is this the reason the field level ACL is getting skipped? If yes, then I tried replicating the ACL in the HRSM scope but the fields like number, state, assignment group etc. are not accessible outside global scope.

 

Please advice.

0 Helpfuls
  • 1,487 Views
2 REPLIES 2

sundaram080713
Tera Expert

‎10-15-2024 06:14 AM

Hello @Vasu ch ,

The problem you're facing, where field-level ACLs are not being evaluated for some users on the Interaction table while others pass the checks as expected, can stem from several factors:

  1. Scope Conflict Between Global and HRSM Scopes: You mentioned that the Interaction record is created in the Advanced Work Assignment (HRSM) scope, but your field-level ACLs are defined in the global scope. ServiceNow enforces scope boundaries, meaning rules and configurations, including ACLs, created in one scope may not automatically apply in another. In this case, field-level ACLs from the global scope may not be enforced for records created in the HRSM scope due to these restrictions.

  2. Replication of ACLs in Scoped Application: While replicating ACLs in the HRSM scope is generally the correct approach, standard fields like number, state, and assignment group may be restricted to the global scope. ServiceNow often enforces global restrictions on such fields, making them difficult to access in other scopes.

  3. Role and Permission Differences: Users experiencing different results in ACL checks could be due to variations in their roles or permissions. Field-level ACLs are evaluated only after row-level ACLs, so if a user passes the row-level check but lacks the required permissions for the field-level ACL, it could block access.

Steps to Resolve:

  • Check the ACL Scope: Ensure that the field-level ACLs are either replicated in the HRSM scope or that cross-scope access is allowed for the fields.
  • Access Analyzer Review: Since you've used Access Analyzer, review the specific field-level ACLs in both scopes, checking for mismatches in conditions or role assignments.
  • Cross-Scope Access: Configure cross-scope privileges between the global and HRSM scopes in the cross-scope access settings, if needed.
  • Role and Permission Review: Verify that users have the correct roles for both row and field-level ACLs.

Reviewing both scope boundaries and user roles should help clarify why the field-level ACLs are being skipped for certain users.

I’m not an expert, but I did my best to share all the knowledge I have to assist you. If you found my response helpful, I would appreciate it if you could mark it as helpful or like it.

Vasu ch
Kilo Sage
In response to sundaram080713

‎10-16-2024 02:55 AM

Hi @sundaram080713 ,

Thanks for the inputs. Seems I need to check the cross scope access part. I will try to do that.

0 Helpfuls