BLOG : ServiceNow ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
π ServiceNow ACLs: Understanding "Decision Type" β Allow If vs. Deny Unless & Precedence Rules
π Ever wondered how ServiceNow decides who gets access to what? One crucial setting in Access Control Lists (ACLs) is Decision Type, which determines how access is granted or restricted.
π Understanding the "Decision Type" Field in ACLs
β Allow If β Grants access only if the conditions or scripts evaluate to true.
β Deny Unless β Denies access unless the ACL explicitly evaluates to true.
But what does this really mean in action? Letβs break it down!
π Example Scenario: Controlling Access to the "Assigned To" Field in the Incident Table
Imagine you want to control who can update the "Assigned To" field on an incident.
β
Scenario 1 β Using "Allow If"
ACL Condition: Role = itil
Effect:
β Users with the itil role β β
Can update the assigned_to field.
β Users without the itil role β β Cannot update it.
How it works?
π Here, only users with the itil role are allowed to change the field. If no ACL grants access, the user is blocked by default.
β Scenario 2 β Using "Deny Unless"
ACL Condition: Role = manager
Effect:
π« Everyone is denied access unless they have the manager role.
How it works?
π This is a restrictive approach where access is denied by default, and only those meeting the condition are allowed.
π₯ Precedence: What Happens When Both ACLs Exist?
What if we have both an "Allow If" and a "Deny Unless" ACL on the same field? Which one wins?
π Precedence Rule in ServiceNow ACLs:
"Deny Unless" takes priority over "Allow If"
If any "Deny Unless" ACL fails, access is denied, even if thereβs an "Allow If" ACL.
π Example Conflict:
1οΈβ£ ACL 1 (Allow If) β Users with the itil role can update the Assigned To field.
2οΈβ£ ACL 2 (Deny Unless) β Only users with the manager role can update the Assigned To field.
Result?
β Even if a user has the itil role, they cannot update the field unless they also have the manager roleβbecause "Deny Unless" overrides "Allow If."
π‘ Key Takeaways
β "Allow If" is permissive β it grants access only if conditions match.
β "Deny Unless" is restrictive β it blocks access unless conditions explicitly allow it.
β "Deny Unless" takes precedence over "Allow If", meaning denial wins over permission if thereβs a conflict.
π When to Use What?
β
Use "Allow If" when access should be granted only to specific roles/groups.
π« Use "Deny Unless" when access should be denied for all except a specific group.
