The CreatorCon Call for Content is officially open! Get started here.

Differences between ACL None, Field and WIldcard

stefanolejko
Kilo Contributor

‎02-18-2018 01:43 PM

Hello, 

 

I have problems to understand the meaning of the ACL system. What exactly is the effect of setting a .None ACL for a user? 

Doesnt it mean he has no access for the whole table? 

Field and wildcard is kind of easy to understand but I dont get this None state. 

 

Cheers und thank you 

Stefan 

0 Helpfuls
  • 7,960 Views
4 REPLIES 4

Shishir Srivast
Mega Sage

‎02-18-2018 02:21 PM

When you want to have Field level ACL:  Tablename.* gives you a field level ACL which allows to Access to all field on that table.

When you want to have table level ACL: Tablename.none gives you a row level ACL allows to access records.

 

Tablename.None ACLs executes first and if it meets the condition then it skips to check Tablename.* else it will execute the TableName.* ACLs

Rajesh Mushke
Mega Sage

‎02-18-2018 07:04 PM

Hey Stefen, Below are some points regarding both ACLs: 1) TableName.None acls executes first than TableName.* 2) TableName.None have more priority than TableName.* Both are table level ACL, But the thing is * is a wild card entry. Suppose None is restricting table level access and you provide access by using * , system can allow you to do the work. This is one of the trickest ACL's to understand. We provide this example along with slides and lab content to help address an understanding but here is an example: The below examples assume High Security is enabled and the Default Security Setting is set to Default Examples: If you define a READ ACL with: •Table.None for Admin & ITIL Result: Both Admin and ITIL will be able to view all records because they have read access to all records with no field restrictions. If you define a READ ACL with: •Table.None for Admin & ITIL & Table.* for Admin Result: Only Admin will have read access because the Table.* is an explicit rule at the field level that grants only Admin read access to all fields. If you define a READ ACL with: •Table.None for Admin & Table.* for ITIL Result: ITIL will not be able to view any records because they only have read access at the field level and not at the Record/Row level. *.* represents = all records in all tables.all fields in a record Hope this helps further Please Refer: https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/contextual-security/concept/access-control-rules.html


Thanks,
Rajashekhar Mushke
Rising star : 2022 - 2024
Community Leader -2018
Connect me on LinkedIn : Rajashekhar Mushke

mukulgupta
ServiceNow Employee
ServiceNow Employee

‎02-18-2018 07:50 PM

Hi Stefan,

Check out this Doc Article, which should answer your questions:

https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/contextual-securi...

 

Please let us know if the shared info was helpful by marking the response as Helpful.

Feel free to reach out if you have any additional questions.

Best Regards,

Mukul Gupta @ ServiceNow

0 Helpfuls

Not applicable

‎03-11-2018 10:23 PM

 

Hii Stefen,

Here are the basic ACL Evaluations:

1. An ACL has 3 control sections(Requires Role, Condition, Script), all should evaluate to true.

2. ACL types : 1.Row Level 2.Field Level

To Identify the type of ACL : Any ACL that has a Dot(.) in the field definition(eg. incident.number, incident.*) is a field level ACL.

Any ACL that do not have Dot(.) (eg. incident etc) i.e. incident -none- is a Row Level ACL.

Now, How they are evaluated ?

Let us consider, R=Row and F=Field

((R||R)&&(F||F))

All the row level ACLs are combined with the logical OR.

All the Field level ACLs are combined with logical OR.

The result of both will be ANDed together.

 

So, the ACL that allows you to write on any Row level, and denies access on all field levels, will not allow you to access the record, due to the AND statement between Row level and field level.

The ACL that allows you to write on row level  and if no field level ACL present, then the write access will be granted.

If the row level ACLs evaluate to True, and if some field level ACL is present which evaluate to true and some do not, Those that are read and evaluate to True will allow the field to display.   Those that are read and evaluate to false will prevent the field from displaying.

If the read ACL evaluates to true and the write ACL evaluates to false, the field will display in read only mode.

For better understanding go through the following link :

 https://developer.servicenow.com/app.do#!/lp/new_to_servicenow/app_store_learnv2_securingapps_jakarta_to_or_not_to?v=jakarta