Restric access to form throught link
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2025 08:42 AM - edited 08-26-2025 08:43 AM
Hi,
I’m looking for a way to restrict users from accessing specific forms directly by entering the .do URL (for example: instance-name.com/incident.do?
Even if a user doesn’t have a role to access the module in the application navigator, they can still access the form if they know the direct URL.
Is there a recommended way to prevent this? Ideally, I’d like to ensure that only authorized users can open forms like incident.do, regardless of how they try to access them.
Thanks in advance for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago - last edited a month ago
hi @Pedro33
May you try via ACL
Steps to secure forms against direct URL access:
1. Check the table ACLs
Go to: System Security > Access Control (ACL).
Look up ACLs for the table (e.g., incident).
You need rules for:
incident.* (all fields)
incident.<field> (field-specific, optional)
incident (record-level access)
Make sure only the roles that should open/view incidents are granted read access.
2. Restrict read and write on the table
Example:
Create a rule for incident with operation = read.
Add condition: role = itil (or whatever role should see incidents).
Users without that role will be denied — even if they paste incident.do in the URL.
3. Prevent form creation via .do?sys_id=-1
Also add an ACL for create on the incident table.
Restrict to roles that are allowed to create new incidents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
Hi @Rafael Batistot
When user create a incident(for example) throught a link, the view is self-service and not default view. In the self-service, the short-description is mandatory.
It is possible to redirect to default view?
What is the best pratices to do in this case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
Hi @Rafael Batistot,
In the second point, already exist ACL to restrict user to access the incident table.
Can you explain how i can do the third point in ACL?
Is possible to do a Client Script?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago - last edited a month ago
@Pedro33
Is possible to do a Client Script? No. Is in the Access control table
Follow this practices:
https://www.servicenow.com/community/developer-forum/how-to-create-acl-for-ui-page/m-p/1624056#M2809...
