- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-07-2019 11:40 PM
Hello Everyone !
I am explaining ACL.
It's very important topic in ServiceNow.
ACL(Access Control List):
An instance uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it.(Simple meaning perform restriction of data) ACL rules require users to pass a set of requirements in order to gain access to particular data.
Each ACL rule specifies:
- The object and operation being secured
- The permissions required to access the object
Record ACL rules:
Record ACL rules consist of table and field names.
- The table name is the table that you want to secure. If other tables extend from this table, then the table is considered a parent table. ACL rules for parent tables apply to any table that extends the parent table.
- The field name is the field that you want to secure. Some fields are part of multiple tables because of table extension. ACL rules for fields in a parent table apply to any table that extends the parent table.
ACL rules can secure the following record operations:
I m Defining only for 4 Operation With Example:
Read : Allows users to display records from a table.
Write : Allows users to update records in a table.
Create : Allows users to insert new records (rows) into a table.
Delete : Allows users to remove records from a table or drop a table.
- Match the object against table ACL rules.
- Match the object against field ACL rules.
This processing order ensures that users gain access to more general objects before gaining access to more specific objects. A user must pass both table and field ACL rules to access a record object.
- If a user fails a table ACL rule, the user is denied access to all fields in the table, even if the user passes a field ACL rule.
- If a user passes a table ACL rule, but fails a field ACL rule, the user cannot access the field described by the field ACL rule.
Table ACL Rule
The user must first pass the table ACL rule. Since the base system includes STAR (*) table ACL rules that match every table, the user must always pass at least one table ACL rule. The base system provides additional table ACL rules to control access to specific tables.
- Match the table name. For example, incident.
- Match the parent table name. For example, task.
- Match any table name (*). For example, *.
If a user fails all table ACL rules, the user cannot access the fields in any table. If a user passes a table ACL rule, the system then evaluates the field ACL rules.
Field ACL Rule
- Match the table and field name. For example, incident.number.
- Match the parent table and field name. For example, task.number.
- Match any table (*) and field name. For example, *.number.
- Match the table and any field (*). For example, incident.*.
- Match the parent table and any field (*). For example, task.*.
- Match any table (*) and any field (*). For example, *.*.
A user must pass the table ACL rule to be granted access to the table's fields. For example, the user must first pass the table ACL rule for the incident table to access the Number field in the incident table.
The first successful field ACL evaluation stops ACL rule processing at the field level. When a user passes a field ACL rule, the system stops searching for other matching field ACL rules. For example, if a user passes the field ACL rule for incident.number, the system stops searching for other ACL rules that secure the Number field in the incident table.
Define( None ,(*),Filed 😞
These terms define through the example
Examples:
| Action | Role 1 | Role2 | User with Role 1 | User with Role 2 | |
| Read | table.none | table.none | Can read all field | Can read all field | |
| Write | table.none | table.none | Cannot Read form and field | Cannot Read form and field | |
| Read | table.none | table.none | Can Read all Field | Can See table without field | |
| Read | table.* | ||||
| Read | table.none | table.none | Can Read all Field except field | Can See only the field | |
| Read | table.* | table.field | |||
| Read | table.none | table.none | Can read all field except the field | Can Read all fields | |
| Read | table.* | table.* | |||
| Read | table.field | ||||
| Read | table.none | table.none | Can Read all Fields | can Read all except the field | |
| Read | table.field | ||||
| Read | table.none | table.none | Can Read and Write all fields | Can Read all fields | |
| Write | table.none | ||||
| Read | table.none | table.none | Can Read all Fields | Can Read all Fields | |
| Write | table.none | table.* | |||
| Read | table.none | table.none | Can Read and Write all fields | Can Read and Write all fields | |
| Write | table.none | table.none | |||
| Read | table.none | table.none | Can Read and Write all fields | Can Read all fields | |
| Write | table.none | table.none | |||
| write | table.* | ||||
| Read | table.none | table.none | Can Read and Write all fields | Can Read and Write all fields | |
| Write | table.none | table.none | |||
| Write | table.* | table.* | |||
| Read | table.none | table.none | Can read all and write all field except the field | Can Read all Fields | |
| Write | table.none | ||||
| Write | table.field | ||||
| Read | table.none | table.none | Can Read all fields | Can Read and Write all fields | |
| Write | table.none | table.none | |||
| Write | table.* | ||||
| Write | table.field | ||||
| Read | table.none | table.none | Can Write all fields except the one field | Can Read and Write all fields | |
| Write | table.none | table.none | |||
| Write | table.* | table.* | |||
| Write | table.field | ||||
| Read | table.none | table.none | Can Read all the fields | Can Read all the fields | |
| Write | table.field | ||||
| Read | table.none | table.none | Can Write one field but read all field | Can Write one field but read all field | |
| Write | table.none | table.none | |||
| Write | table.*(with answer=false) | table.*(with answer=false) | |||
| Write | table.field | table.field | |||
| Read | table.none | table.none | Can write only one field | Can Write all Fields except one field | |
| Write | table.none | table.none | |||
| Write | table.field | table.* | |||
| Read | table.none | table.none | Can Read and Write all the fields | Can write all Fields except one | |
| Write | table.none | table.none | |||
| Write | table.field | ||||
| Read | table.none | Can see only one field | Security Constraint issue | ||
| Read | table.* | ||||
| Read | table.field | ||||
thanks
- 20,247 Views
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanq Rahul your Example is good
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
This is way easier than using the command line for a Linux system haha.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanks Rahul. Probably one of the best articles ever read on ACL's. I have bookmarked it and will share this to my colleagues too. Can you also write an article on Debugging ACLs if possibe.
Br,
Harish M
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Zach -here is my example -why is this incorrect?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Anita,
table.none - gives table level access,
table.* - provides access to all fields data within a table
A user with table.none won't be able to view fields inside a table when any other role with table.* is present, whereas a user with table.* can see all the fields within a table.
Hope this helps!
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanks Rahu
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Can we restrict a specific record with ACL? For instance, if we want to make the Name Field Read-only if the Name is Default and Application is Global. Only Security admins can change this name if needed.
Can this be done?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Access Control rules are applied to a specific table, like the Incident
table. What is the object name for a rule that applies to the entire Incident table (all rows and fields)?
A. incident.*
B. incident.all
C. incident.!
D. incident.None
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
@VyshnaviA067963 Got this exact question on my CSA exam.
As mentioned in this post, table.None seems to grant access to all record data even if table.* is defined or not.
Answer (I believe) is D.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Can some one help me to explain that why we are not able to write in this case? Only read.
| Action | Role 1 | Role2 | User with Role 1 | User with Role 2 |
| Read | table.none | table.none | Can Read all Fields | Can Read all Fields | |
| Write | table.none | table.* |
