BLOG : ServiceNow ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2026 08:13 AM
🚀 ServiceNow ACLs: Understanding "Decision Type" – Allow If vs. Deny Unless & Precedence Rules
🔐 Ever wondered how ServiceNow decides who gets access to what? One crucial setting in Access Control Lists (ACLs) is Decision Type, which determines how access is granted or restricted.
📌 Understanding the "Decision Type" Field in ACLs
✔ Allow If – Grants access only if the conditions or scripts evaluate to true.
❌ Deny Unless – Denies access unless the ACL explicitly evaluates to true.
But what does this really mean in action? Let’s break it down!
🔍 Example Scenario: Controlling Access to the "Assigned To" Field in the Incident Table
Imagine you want to control who can update the "Assigned To" field on an incident.
✅ Scenario 1 – Using "Allow If"
ACL Condition: Role = itil
Effect:
✔ Users with the itil role → ✅ Can update the assigned_to field.
❌ Users without the itil role → ❌ Cannot update it.
How it works?
👉 Here, only users with the itil role are allowed to change the field. If no ACL grants access, the user is blocked by default.
❌ Scenario 2 – Using "Deny Unless"
ACL Condition: Role = manager
Effect:
🚫 Everyone is denied access unless they have the manager role.
How it works?
👉 This is a restrictive approach where access is denied by default, and only those meeting the condition are allowed.
🔥 Precedence: What Happens When Both ACLs Exist?
What if we have both an "Allow If" and a "Deny Unless" ACL on the same field? Which one wins?
📌 Precedence Rule in ServiceNow ACLs:
"Deny Unless" takes priority over "Allow If"
If any "Deny Unless" ACL fails, access is denied, even if there’s an "Allow If" ACL.
🔍 Example Conflict:
1️⃣ ACL 1 (Allow If) → Users with the itil role can update the Assigned To field.
2️⃣ ACL 2 (Deny Unless) → Only users with the manager role can update the Assigned To field.
Result?
❌ Even if a user has the itil role, they cannot update the field unless they also have the manager role—because "Deny Unless" overrides "Allow If."
💡 Key Takeaways
✔ "Allow If" is permissive – it grants access only if conditions match.
✔ "Deny Unless" is restrictive – it blocks access unless conditions explicitly allow it.
✔ "Deny Unless" takes precedence over "Allow If", meaning denial wins over permission if there’s a conflict.
🚀 When to Use What?
✅ Use "Allow If" when access should be granted only to specific roles/groups.
🚫 Use "Deny Unless" when access should be denied for all except a specific group.
