Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Access Control

Go to solution
RupeshK38781664
Giga Contributor

3 weeks ago

When multiple ACL rules match the same table and operation — one grants access while another denies — what is the outcome?

  • 444 Views
1 ACCEPTED SOLUTION

Go to solution
Bhavya11
Kilo Patron

3 weeks ago

Hi @RupeshK38781664 ,

 

You can check using debugging the for any user by session log, that will give you clear idea.

System Diagnostics > Script Debugger > Session Debug

 

Take any example from your PDI and check how many ACL it should pass through and which gives access, and which denies access.

 

Refer below link for more details,

https://www.servicenow.com/community/itsm-forum/acls-for-the-same-fields/td-p/773249/page/2

ACL order of evaluation for multiple rules on the same level for the same object
 
How are Multiple ACL Rules at the Same Point in the Processing Order evaluated?
 
Access Control in ServiceNow with 'Deny Unless' ACLs
 
 

 

If this information proves useful, kindly mark it as helpful or accepted solution.

Thanks,
BK

View solution in original post

3 REPLIES 3

Go to solution
GlideFather
Tera Patron

3 weeks ago

Hi @RupeshK38781664,

 

the best and easiest way for you to find out is to go to your PDI and simulate such a situation and then to verify yourself. What's blocking you from doing so? ;)) or you can go to Access analyser and compare it from there after creating them..

 

Not sure about ACLs but I had the same question regarding assignment rules (same table, same conditions) and ServiceNow simply prioritised the firstly created record over the second one... 

 

You can set this for ACL, test a few scenarios and then you can write an article about it here! Own experience and genuine non-AI knowledge is what this Community always needs!

_____
Answers generated by GlideFather. Check for accuracy.

Go to solution
Bhavya11
Kilo Patron

3 weeks ago

Hi @RupeshK38781664 ,

 

You can check using debugging the for any user by session log, that will give you clear idea.

System Diagnostics > Script Debugger > Session Debug

 

Take any example from your PDI and check how many ACL it should pass through and which gives access, and which denies access.

 

Refer below link for more details,

https://www.servicenow.com/community/itsm-forum/acls-for-the-same-fields/td-p/773249/page/2

ACL order of evaluation for multiple rules on the same level for the same object
 
How are Multiple ACL Rules at the Same Point in the Processing Order evaluated?
 
Access Control in ServiceNow with 'Deny Unless' ACLs
 
 

 

If this information proves useful, kindly mark it as helpful or accepted solution.

Thanks,
BK

Go to solution
SohamTipnis
Mega Sage

2 weeks ago

Hi @RupeshK38781664,

 

In ServiceNow, access control is quite strict when multiple ACLs are involved.

If multiple ACL rules apply to the same table and operation, and even one of them denies access, then the user will not get access, even if another ACL is allowing it.

Think of it like this: ServiceNow checks all the conditions, roles, and scripts tied to those ACLs. For access to be granted, every applicable ACL must evaluate to true. The moment one fails, the system blocks access.

So in short, deny always wins over allow; it's designed this way to keep the system secure and avoid any accidental exposure of data.

 

Let me know if this clears your doubt!!!😉

 

If you find my answer useful, please mark it as Helpful and Correct. ‌‌‌‌😊


Regards,
Soham Tipnis
ServiceNow Developer || Technical Consultant
LinkedIn: www.linkedin.com/in/sohamtipnis10

0 Helpfuls