BLOG : ServiceNow ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
đ ServiceNow ACLs: Understanding "Decision Type" â Allow If vs. Deny Unless & Precedence Rules
đ Ever wondered how ServiceNow decides who gets access to what? One crucial setting in Access Control Lists (ACLs) is Decision Type, which determines how access is granted or restricted.
đ Understanding the "Decision Type" Field in ACLs
â Allow If â Grants access only if the conditions or scripts evaluate to true.
â Deny Unless â Denies access unless the ACL explicitly evaluates to true.
But what does this really mean in action? Letâs break it down!
đ Example Scenario: Controlling Access to the "Assigned To" Field in the Incident Table
Imagine you want to control who can update the "Assigned To" field on an incident.
â
Scenario 1 â Using "Allow If"
ACL Condition: Role = itil
Effect:
â Users with the itil role â â
Can update the assigned_to field.
â Users without the itil role â â Cannot update it.
How it works?
đ Here, only users with the itil role are allowed to change the field. If no ACL grants access, the user is blocked by default.
â Scenario 2 â Using "Deny Unless"
ACL Condition: Role = manager
Effect:
đŤ Everyone is denied access unless they have the manager role.
How it works?
đ This is a restrictive approach where access is denied by default, and only those meeting the condition are allowed.
đĽ Precedence: What Happens When Both ACLs Exist?
What if we have both an "Allow If" and a "Deny Unless" ACL on the same field? Which one wins?
đ Precedence Rule in ServiceNow ACLs:
"Deny Unless" takes priority over "Allow If"
If any "Deny Unless" ACL fails, access is denied, even if thereâs an "Allow If" ACL.
đ Example Conflict:
1ď¸âŁ ACL 1 (Allow If) â Users with the itil role can update the Assigned To field.
2ď¸âŁ ACL 2 (Deny Unless) â Only users with the manager role can update the Assigned To field.
Result?
â Even if a user has the itil role, they cannot update the field unless they also have the manager roleâbecause "Deny Unless" overrides "Allow If."
đĄ Key Takeaways
â "Allow If" is permissive â it grants access only if conditions match.
â "Deny Unless" is restrictive â it blocks access unless conditions explicitly allow it.
â "Deny Unless" takes precedence over "Allow If", meaning denial wins over permission if thereâs a conflict.
đ When to Use What?
â
Use "Allow If" when access should be granted only to specific roles/groups.
đŤ Use "Deny Unless" when access should be denied for all except a specific group.
