john_garrisi
ServiceNow Employee

As software people, we often think in Boolean expressions:   Things are black or white, true or false, red or green. The same goes for access permissions in ServiceNow. You either have access or you do not, there are no grey areas.

I often hear "I have given the ITIL role this access, why does it not work?"

When we run the Debug Security it tells us "yes" or "no" on access rights.   However, understandings the grey areas may prevent some issue from cropping up or help solve issues when they occur while evaluating row level and field level Access Control Lists (ACLs).

Here are the basics of evaluating ACLs:

  1. An ACL record has three control sections that all have to evaluate to True.   In other words, the sections (condition, script, and requires role) are "ANDed" together.
  2. There are two types of ACLs: Row level and Field level. The difference between Row level and Field level is quite simply the dot.  
    • Any ACL that has a dot in the field definition, such as task.number, task.* is a Field level ACL.  
    • A Row level ACL will have no dot, such as task, incident etc. In the detail view, these show as Incident —None— or Task —None—.

Now that we know the difference between row level and field level, how are they evaluated? The answer is best explained with a picture:

row field acls servicenow.jpg

This means that it will evaluate:

  • all row level ACLs combined with the logical OR
  • all field level ACLs combined with the logical OR
  • the results of those will be combined with the logical AND


An ACL that allows you to write on any row level, and denies access on all field levels, will not allow access to the record, due to the AND statement between row level and field level.   Only an ACL that allows you to write on any row level, allows you to write on any field level will allow write ability to the record.

Assuming the row level ACLs evaluate to True, what if some field level ACLs evaluate to true and some do not?   The answer is that it depends on the type of field level ACLs.   Those that are read and evaluate to True will allow the field to display.   Those that are read and evaluate to False will prevent the field from displaying. If the read ACL evaluates to true and the write ACL evaluates to false, the field will display in read only mode.

10 Comments
Kalaiarasan Pus
Giga Sage

Happen to read this now ... This is a excellent post ... The diagram really helps Thanks for writing this up


tony_barratt
ServiceNow Employee

Thanks for sharing this blog.


Great picture!


joel_ruiz1
Tera Expert

This is such a insightful post. Thank you for taking the time to convey this concept and the picture is a great visual! Thanks a million!


saurabhsharma
Giga Contributor

Very helpful post. Picture is making thing more clear.

 

Thanks,

Saurabh

MohammadAlS7206
Tera Contributor

Very helpful and informative post.

stephenevans
Tera Contributor

Great diagram and article, thanks! I was getting nowhere for hours until I saw this and worked out where I was going wrong in a minute.

Daniel O Falayi
Kilo Guru

Thanks for Sharing

Harish27
Kilo Guru

HI John,

 

Thanks for this amazing article. This just cleared out my confusion. 

Another link which peeps can find helpful on ACL : https://community.servicenow.com/community?id=community_article&sys_id=81222dbadb762f802e8c2183ca961...

 

Thank you!.

Harshit Sharma1
ServiceNow Employee

What happens if there are no field-level ACLS at all? Would then the field be only accessible to admin?

jmmatas
Tera Expert

Thanks for the picture and the explanation!