Combining Table and Field ACL rules

daja · ‎07-21-2014

As we know, ServiceNow distinguishes between table and field level ACL rules. If both exist for a particular field, they both must evaluate to true in order to grant the specified access. I have a situation where I need a field rule to essentially trump a table rule, and am trying to wrap my head around the best way of doing so. A generic example:

The CI Owner (owned_by) should have write access to all fields on the CI record except u_custom_field_1.
Only members of the "Custom Group" group should be allowed to edit u_custom_field_1, on any CI.

As I see it, I can accomplish most of the above by one table level ACL rule against cmdb_ci that provides write access based on the owned_by value, and one field level ACL rule that checks if the user is a member of "Custom Group". That will prevent the CI Owner from editing this field if he/she is not in this group, as both rules must evaluate to true. However, for the same reason, members of "Custom Group" also cannot edit this field unless they are the CI Owner, due to the table level rule. This is undesirable.

My "brute force" approach to this problem would be to create field level ACL rules for every single field that I'm using on cmdb_ci, but for maintainability reasons that is obviously not a preferred option. Are there any alternatives? Could I approach the problem differently altogether?

cbweiner · ‎07-29-2014

The following should work, provided other ACLs do not interfere.

- Write ACL on <table>.<none> where script evaluates to true for current.owned_by is current user or current user is a member of the "Custom Group" group

- Write ACL on <table>.* where script evaluates to true for current.owned_by

- Write ACL on <table>.u_custom_field_1 where script evaluates to true for current user is a member of the "Custom Group" group

<table>.u_custom_field_1 will be evaluated first, which will only allow write access to this field for members of the group. The <table>.* ACL will allow write access for all other fields on this table to the CI owner. The table level ACL will grant access to both conditions.

View solution in original post

cbweiner · ‎07-29-2014

The following should work, provided other ACLs do not interfere.

- Write ACL on <table>.<none> where script evaluates to true for current.owned_by is current user or current user is a member of the "Custom Group" group

- Write ACL on <table>.* where script evaluates to true for current.owned_by

- Write ACL on <table>.u_custom_field_1 where script evaluates to true for current user is a member of the "Custom Group" group

<table>.u_custom_field_1 will be evaluated first, which will only allow write access to this field for members of the group. The <table>.* ACL will allow write access for all other fields on this table to the CI owner. The table level ACL will grant access to both conditions.

daja · ‎08-06-2014

Thanks Chad, this helped solve my problem!

prashantdharne · ‎12-18-2017

Hey Chad,

I have a different problem and I was hoping you could help me:

1. Config Management Lead should be able to update all fields on Application Table

2. Custom Role should be able to edit only 1 custom field on Application Table. But none of the other fields.

How can we do this? As soon as I write a field level ACL for the custom field, it overrides the table level ACL and then the Config Management Lead is not able to edit the field if the user is not having the Custom Role.

Config Management Lead - Record Level ACL

Custom Role - Field Level ACL to edit the field

Prati · ‎05-26-2022

Hi,

Have you found solution for above query?

Custom Role should be able to edit only 1 custom field on Application Table. But none of the other fields.

How can we do this? As soon as I write a field level ACL for the custom field, it overrides the table level ACL and then the Config Management Lead is not able to edit the field if the user is not having the Custom Role.

please share it with me. I also have same requirement.