We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

How to restrict updates on “Closed” Incidents in ITSM?

vickythakur
Kilo Contributor

yesterday

Spoiler

Hello Community, We have a requirement in ITSM where once an Incident record is moved to the Closed state, it should become read‑only for all users except Administrators. Currently, users can still update fields after closure, which is causing audit concerns. What is the best way to enforce this restriction — should we use a Data Policy/UI Policy or an ACL?

 
0 Helpfuls
  • 100 Views
3 REPLIES 3

Dr Atul G- LNG
Tera Patron

an hour ago

ACL is best to do mate.

 

https://www.servicenow.com/community/itsm-forum/make-2-fields-editable-on-incident-form-when-inciden...

 

https://www.servicenow.com/community/itsm-forum/writable-field-on-incident-is-readonly-for-all-users...

*************************************************************************************************************
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]

****************************************************************************************************************
0 Helpfuls

surajsengar
Kilo Guru

53m ago

@vickythakur 

This is a common ITSM governance requirement, and the best practice is to use ACLs (Access Control Lists) for enforcement, with optional UI Policies for user experience.

 

ACLs (Recommended):

ACLs operate at the server level, so they apply regardless of how the record is accessed (UI, API, integrations, imports).

You can configure a Write ACL on the Incident table with a condition like:

 

Script -

 

 current.state == '7' && !gs.hasRole('admin')

 Here, 7 is the closed state value. This ensures only Admins can update closed incidents.

 

UI/Data Policies (Optional):

 

These make fields appear read‑only in the form, improving user experience.

However, they only apply in the UI and do not prevent updates via APIs or background scripts.

 

Best Practice:

 

Use ACLs for true security and compliance.

Complement with UI Policies so users see the restriction visually in the form.

This combination ensures both robust enforcement and a clear user experience.

0 Helpfuls

Ankur Bawiskar
Tera Patron

38m ago

@vickythakur 

OOTB users can't edit closed INC. See screenshot below

I am ITIL user and INC is closed and I am unable to edit

Seems somebody customized the OOTB Table.None WRITE ACL on incident table

Use access analyzer and see which ACL is allowing WRITE on CLOSED INC

[Vancouver Release] Customers gain enhanced access visibility with ServiceNow Access Analyzer 

55.png

ACLs to check

55.png

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls