Can I prevent a user from accessing certain fields

Rama21
Tera Contributor

Can I prevent a user from accessing certain fields

1 ACCEPTED SOLUTION

Megha Padale
Giga Guru

Hi,

Yes, you can prevent user from accessing fields by using ACL.

ACL-Access control list

An instance uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules require users to pass a set of requirements in order to gain access to particular data. Each ACL rule specifies:

 

  • The object and operation being secured
  • The permissions required to access the object

 

 

Granting or Denying Access

When a user attempts to access a particular object, the system searches for ACL rules that match the requested object's type, operation, and name. If an ACL rule matches these elements, then the user must meet the permissions described in this rule to access the secured object.

 

If the user fails to meet the permissions required by the first rule, the system searches for the next matching ACL rule. For each matching ACL rule, the user has a chance to meet the required permissions in order to access the object. The system stops searching for matching ACL rules if the user ever meets a matching ACL rule's permissions. If the user cannot meet the permissions of any matching ACL rules, the system denies the user access to the object.

 

The effects of being denied access to an object depend on the ACL rule that the user failed. For example, failing a read operation ACL rule prevents the user from seeing the object. Depending on the object secured, the ACL rule could hide a field on a form, hide rows from a list, or prevent a user from accessing a particular UI page. See the table for a complete list of results of failing an ACL rule for a given operation and object type.

 

OperationResults of Failing an ACL Rule on Object
executeUser cannot execute scripts on record or UI page.
createUser cannot see the New UI action from forms. The user also cannot insert records into a table using API protocols such as web services. Note that a create ACL with a condition that a field contain a specific value always evaluates as false, as fields on new records are considered empty until saved.
readUser cannot see the object in forms or lists. The user also cannot retrieve records using API protocols such as web services.
writeUser sees a read-only field in forms and lists, and the user cannot update records using API protocols such as web services.
deleteUser cannot see the Delete UI action from forms. The user also cannot remove records from a table using API protocols such as web services.
edit_task_relationsUser cannot define relationships between task tables.
edit_ci_relationsUser cannot define relationships between Configuration Item [cmdb_ci] tables.
save_as_templateUsed to control the fields that should be saved when a template is created.
add_to_listUser cannot view or personalize specific columns in the list mechanic.
list_editUser cannot update records (rows) from a list.
report_onUser cannot create reports on the object.
personalize_choicesUser cannot right-click a choice list field and select Configure Choices (Personalize Choices in versions prior to Fuji).

Process order for record ACL rules

Record ACL rules are processed in a certain order.


Record ACL rules are processed in the following order:
  • Match the object against field ACL rules.
  • Match the object against table ACL rules.
This processing order ensures that users gain access to more specific objects before gaining access to less specific ones.A user must pass both field and table ACL rules in order to access a record object.
  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.
ACL matching

 


If my answer helped you in any way, mark answer as helpful and correct.

Thanks and regards,

Megha.

View solution in original post

5 REPLIES 5

Gaurav Shirsat
Mega Sage

Hi Rama

Hi Rama

I would Like to share another way apart from Utpal and Megha.

as this is field level type of work,you can achieve it by using client scripts,UI Policy or ACL.

You Can Try to get this by using onLoad OOB Client Script.

OOTB Service Now onLoad Client Script  called "Make applies to readonly":-

function onLoad() {

//Type appropriate comment here, and begin script below
if(!g_user.hasRole('catalog_admin') && (g_user.hasRole('catalog_manager')||g_user.hasRole('catalog_editor')))
g_form.setReadOnly('applies_to',true);
}

You will need to set "Table" to Incident table in Client Script.

Then substitute your "values";

function onLoad() {

if(g_user.hasRole('role_here'))

g_form.setReadOnly('your_field',true);

}

 It will not be Read-Only if the field is available on a List, if that is case use an ACL as suggested above.

as per the others above suggestion,if you want to achieve it by using ACL,I have one attached file for you to choose the ACL. Please find the attachment

 Please Mark Correct and Helpful

Thanks and Regards

Gaurav Shirsat