ACL Not Denying Access to User Table and Records for ITIL with limited Role

symonflores_23
Tera Guru

We added external users to our platform to fulfill tickets. We assigned them the ITIL role, but also created a custom role called "itil_limited" to restrict their access to only their own records and assignment groups. So far, we’ve successfully limited their access to incidents, requested items, and similar records using business rules.

 

Since they are external users, we also want to deny them access to the user table, as it contains contact numbers and other sensitive data.

 

I am using an ACL to deny access if the user has the itil_limited role, but it’s not working for the user table.

 

 

Type: Record
Decision Type: Allow if
Operation: Read
Name: User [sys_user] None and *

 

Requires Role: itil_limited

 

Data Condition: User ID is 0 (Always False)

 

Users with the itil_limited role can only read the sys_user table if the condition is true — but since the condition is always false, it effectively blocks them.

 

Any idea why it still does not deny access to the user table?

1 ACCEPTED SOLUTION

snehareddym
Tera Expert

comm1.pngcomm2.png

 

 

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".

  • When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

  • When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In ths scenario, to restrict users with the itil_limited role from accessing the User (sys_user) table.

The script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.

View solution in original post

5 REPLIES 5

sergiu_panaite
ServiceNow Employee
ServiceNow Employee

Can you clarify this "I am using an ACL to deny access if the user has the itil_limited role, but it’s not working for the user table." vs "but since the condition is always false, it effectively blocks them."

Didn't you wanted to deny them access to the sys_user table?

Tai Vu
Kilo Patron
Kilo Patron

Hey @symonflores_23 

If you want to restrict users with the itil_limited role from accessing the User [sys_user] table, you should consider creating a deny-unless ACL that explicitly blocks access for that role.

 

Your current ACL condition (User ID is 0) is technically always false. Still, ServiceNow's ACL evaluation logic considers all matching ACLs for a given operation, and if there's another ACL (like one requiring itil or a general read access), it might still allow access.

 

Let's try to change the Decision Type from "Allow if" to "Deny Unless" and remove the condition.

Check this out => Deny-Unless ACL

 

Cheers,

Tai Vu

snehareddym
Tera Expert

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".comm1.pngcomm2.png

  • When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

  • When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In this scenario, to restrict users with the 'itil_limited' role from accessing the User (sys_user) table.

 

This script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.

snehareddym
Tera Expert

comm1.pngcomm2.png

 

 

In ServiceNow, we have ACLs (Access Control Rules), and each ACL has a Decision type — either "Allow if" or "Deny unless".

  • When we use "Allow if", the access is granted only if the conditions (roles, condition field, or script) return true.

  • When we use "Deny unless", the access is denied unless the conditions return true. In other words, if the script or condition returns false, access is restricted.

So, if we want to restrict access (like Create, Read, Write, or Delete), we typically use "Deny unless". If we want to grant access, we use "Allow if" and ensure the conditions return true.

In ths scenario, to restrict users with the itil_limited role from accessing the User (sys_user) table.

The script returns false for users with the itil or itil_limited role, which causes the "Deny unless" ACL to block access for those users — exactly as intended.