Business Rule and ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
8 hours ago
Hello all , is BR override Acl or not , if yes then provide the example for better understanding ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago - last edited 3 hours ago
Business Rules don’t technically override ACLs, but they run on the server with system privileges which means they can update fields even if the user doesn’t have access.
Example:
ACL: Only HR can update the salary field on 'hr_profile' table.
A normal user edits their profile ,but they can’t touch salary in the form.
But if a before update Business Rule runs:
current.salary=5000;
The field will be updated anyway, because the BR executes as system, not the user. ACLs restrict the user, but Business Rules can still change data in the background.
Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution so others can benefit as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
your question is not clear.
Business rule is for different purpose and ACLs are for different purpose.
I will recommend going through now learning course for ServiceNow fundamentals and also go through docs and some youtube videos for better understanding.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hello @UmesH77 , Business Rules do not override ACLs. They work at different layers.
ACL - ACLs are always checked first for security and are mandatory for access.
BR - Business Rules only control what data is returned or how it behaves once access is already allowed.
Suppose an ACL on incident table says only users with itil role can read incidents. A user without itil will not be able to see incidents at all, no matter what Business Rule exists.
Now if a user has itil role and passes the ACL, then a Before Query Business Rule can further filter records. For example:
- (function executeRule(current) {
if (gs.hasRole('itil')) {
current.addQuery('priority', '1');
}
})(current);
Here, even though the user passed the ACL and has read access to the incident he BR modifies the query so that only Priority 1 incidents are shown to that user.
So, basically ACL decides if you are allowed, Business Rule can then control what you will see.
Mark this solution as accepted and helpful as it will be helpful for other users and readers as well.
Best Regards.
Saurabh V.
