what is the difference between * and None in acl?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2017 07:38 AM
I have read many articles on this but still have some doubt. In developer instance i have created 2 read acls. One with None and the other with *. The None is granting the read access and * is not. Which one is a field level and which one is a table level acl?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2017 03:55 AM
Hi Dave
Thanks for the reply, have a doubt. I have added 3 'read' acl's on the table table_1 for ITIL user.
1. table_1.None
2.table_1.*
3.table_1.created_by
When I disable the None acl, user does not have access to the table and fields as "Security constraints prevent access to requested page"
when I enable it, it is providing access to all the fields as it is a table level acl.
In my case only the created_by should be readable for the ITIL users, rest of the fields should be hidden. What should be the step that has to be followed?
P.S: Attached screenshot of acls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2017 09:06 AM
sanker sanal wrote:
When I disable the None acl, user does not have access to the table and fields as "Security constraints prevent access to requested page"
when I enable it, it is providing access to all the fields as it is a table level acl.
Indeed. As I wrote higher up:
incident.NONE = a rule for the table itself. Think of it as a key to the room's door - if there's no table.none rule, all other field rules are redundant.
Without it, all other permissions don't count. The diagram in the documentation about the ACL processing order feels incorrect to me - it claims, fields rules are processed before table rules (which may be true) but my experimentation has shown:
- if there's no table rule then all field rules are blocked
- it's possible to have a table rule and no field rules and access is still granted
This suggests to me that - logically - table rules are processed first, then field rules to ascertain what level of access a user has to the table contents.
sanker sanal wrote:
Hi Dave
In my case only the created_by should be readable for the ITIL users, rest of the fields should be hidden. What should be the step that has to be followed?
Are you saying that those with the ITIL role should only see the "created_by" field and nothing else? Are there any other ACLs on this table?
It may help to create yourself a security model - a diagram depicting:
- what the object is (field, table, etc)
- what level of access is required
- what role is granted it (who)
Proper design is the key to good implementation. At present your requirements feel vague; clarify those then building it should be fairly easy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2018 07:04 AM
Hi Sankar,
Have you found solution how to enable access only to certain fields to a user with specific role.
I am observing the same behaviour and tried all compination.
table.none - must be there as give access to records
table.field - when enabled user still have access to all fields.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2018 04:11 PM
Hi,
Have you checked there are no other ACLs providing user access to table.fields? try the debug ACL option as well and it will tell you exactly why the user is getting access to a field or not. Below article will certainly be useful.
https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/contextual-security/concept/c_AccessControlRulesDebug.html
Let me know if it still doesn't resolve your issue. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2020 09:26 PM
Hi Sanker,
Any update on this?
Can you mark my answer as ✅ correct, 👍 helpful if you were able to achieve the requirement. This helps in removing this question from unanswered list and helps users to learn from your thread. Thanks in advance.
Regards
Ankur
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader