Can I prevent a user from accessing certain fields

Rama21
Tera Contributor

Can I prevent a user from accessing certain fields

1 ACCEPTED SOLUTION

Megha Padale
Giga Guru

Hi,

Yes, you can prevent user from accessing fields by using ACL.

ACL-Access control list

An instance uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules require users to pass a set of requirements in order to gain access to particular data. Each ACL rule specifies:

 

  • The object and operation being secured
  • The permissions required to access the object

 

 

Granting or Denying Access

When a user attempts to access a particular object, the system searches for ACL rules that match the requested object's type, operation, and name. If an ACL rule matches these elements, then the user must meet the permissions described in this rule to access the secured object.

 

If the user fails to meet the permissions required by the first rule, the system searches for the next matching ACL rule. For each matching ACL rule, the user has a chance to meet the required permissions in order to access the object. The system stops searching for matching ACL rules if the user ever meets a matching ACL rule's permissions. If the user cannot meet the permissions of any matching ACL rules, the system denies the user access to the object.

 

The effects of being denied access to an object depend on the ACL rule that the user failed. For example, failing a read operation ACL rule prevents the user from seeing the object. Depending on the object secured, the ACL rule could hide a field on a form, hide rows from a list, or prevent a user from accessing a particular UI page. See the table for a complete list of results of failing an ACL rule for a given operation and object type.

 

OperationResults of Failing an ACL Rule on Object
executeUser cannot execute scripts on record or UI page.
createUser cannot see the New UI action from forms. The user also cannot insert records into a table using API protocols such as web services. Note that a create ACL with a condition that a field contain a specific value always evaluates as false, as fields on new records are considered empty until saved.
readUser cannot see the object in forms or lists. The user also cannot retrieve records using API protocols such as web services.
writeUser sees a read-only field in forms and lists, and the user cannot update records using API protocols such as web services.
deleteUser cannot see the Delete UI action from forms. The user also cannot remove records from a table using API protocols such as web services.
edit_task_relationsUser cannot define relationships between task tables.
edit_ci_relationsUser cannot define relationships between Configuration Item [cmdb_ci] tables.
save_as_templateUsed to control the fields that should be saved when a template is created.
add_to_listUser cannot view or personalize specific columns in the list mechanic.
list_editUser cannot update records (rows) from a list.
report_onUser cannot create reports on the object.
personalize_choicesUser cannot right-click a choice list field and select Configure Choices (Personalize Choices in versions prior to Fuji).

Process order for record ACL rules

Record ACL rules are processed in a certain order.


Record ACL rules are processed in the following order:
  • Match the object against field ACL rules.
  • Match the object against table ACL rules.
This processing order ensures that users gain access to more specific objects before gaining access to less specific ones.A user must pass both field and table ACL rules in order to access a record object.
  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.
ACL matching

 


If my answer helped you in any way, mark answer as helpful and correct.

Thanks and regards,

Megha.

View solution in original post

5 REPLIES 5

Jaspal Singh
Mega Patron
Mega Patron

Edit access or Read access ? Also, you can check for ACL fo type read,write for helping you with.

Utpal Dutta1
Mega Guru

Hey Rama,

 

Yes you can do it using Field level Read ACL. Here is the doc:

https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/contextual-security/concept/access-control-rules.html

 

If you find my answer helpful then please mark it Correct and Helpful.

 

Thanks and Regards:

Utpal Dutta

Ankur Bawiskar
Tera Patron
Tera Patron

Hi Rama,

there are couple of ways to do this if you are referring to hide the fields from user

1) onLoad client script if you want to hide variables based on some script

2) Field Level READ ACLs on those fields; but this is not recommended when you have more number of fields as you will have to create 10 field level READ ACLs if you want to hide 10 fields

3) UI Policy

It depends on your requirement which approach you need to take

Mark Correct if this solves your issue and also mark 👍 Helpful if you find my response worthy based on the impact.
Thanks
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Megha Padale
Giga Guru

Hi,

Yes, you can prevent user from accessing fields by using ACL.

ACL-Access control list

An instance uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules require users to pass a set of requirements in order to gain access to particular data. Each ACL rule specifies:

 

  • The object and operation being secured
  • The permissions required to access the object

 

 

Granting or Denying Access

When a user attempts to access a particular object, the system searches for ACL rules that match the requested object's type, operation, and name. If an ACL rule matches these elements, then the user must meet the permissions described in this rule to access the secured object.

 

If the user fails to meet the permissions required by the first rule, the system searches for the next matching ACL rule. For each matching ACL rule, the user has a chance to meet the required permissions in order to access the object. The system stops searching for matching ACL rules if the user ever meets a matching ACL rule's permissions. If the user cannot meet the permissions of any matching ACL rules, the system denies the user access to the object.

 

The effects of being denied access to an object depend on the ACL rule that the user failed. For example, failing a read operation ACL rule prevents the user from seeing the object. Depending on the object secured, the ACL rule could hide a field on a form, hide rows from a list, or prevent a user from accessing a particular UI page. See the table for a complete list of results of failing an ACL rule for a given operation and object type.

 

OperationResults of Failing an ACL Rule on Object
executeUser cannot execute scripts on record or UI page.
createUser cannot see the New UI action from forms. The user also cannot insert records into a table using API protocols such as web services. Note that a create ACL with a condition that a field contain a specific value always evaluates as false, as fields on new records are considered empty until saved.
readUser cannot see the object in forms or lists. The user also cannot retrieve records using API protocols such as web services.
writeUser sees a read-only field in forms and lists, and the user cannot update records using API protocols such as web services.
deleteUser cannot see the Delete UI action from forms. The user also cannot remove records from a table using API protocols such as web services.
edit_task_relationsUser cannot define relationships between task tables.
edit_ci_relationsUser cannot define relationships between Configuration Item [cmdb_ci] tables.
save_as_templateUsed to control the fields that should be saved when a template is created.
add_to_listUser cannot view or personalize specific columns in the list mechanic.
list_editUser cannot update records (rows) from a list.
report_onUser cannot create reports on the object.
personalize_choicesUser cannot right-click a choice list field and select Configure Choices (Personalize Choices in versions prior to Fuji).

Process order for record ACL rules

Record ACL rules are processed in a certain order.


Record ACL rules are processed in the following order:
  • Match the object against field ACL rules.
  • Match the object against table ACL rules.
This processing order ensures that users gain access to more specific objects before gaining access to less specific ones.A user must pass both field and table ACL rules in order to access a record object.
  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.
ACL matching

 


If my answer helped you in any way, mark answer as helpful and correct.

Thanks and regards,

Megha.