what is the difference between * and None in acl?

Kannan Nair · ‎02-17-2017

I have read many articles on this but still have some doubt. In developer instance i have created 2 read acls. One with None and the other with *. The None is granting the read access and * is not. Which one is a field level and which one is a table level acl?

Kannan Nair · ‎03-14-2017

Hi Dave

Thanks for the reply, have a doubt. I have added 3 'read' acl's on the table table_1 for ITIL user.

1. table_1.None

2.table_1.*

3.table_1.created_by

When I disable the None acl, user does not have access to the table and fields as "Security constraints prevent access to requested page"

when I enable it, it is providing access to all the fields as it is a table level acl.

In my case only the created_by should be readable for the ITIL users, rest of the fields should be hidden. What should be the step that has to be followed?

P.S: Attached screenshot of acls.

Dave Smith1 · ‎03-14-2017

sanker sanal wrote:

When I disable the None acl, user does not have access to the table and fields as "Security constraints prevent access to requested page"

when I enable it, it is providing access to all the fields as it is a table level acl.

Indeed. As I wrote higher up:

incident.NONE = a rule for the table itself. Think of it as a key to the room's door - if there's no table.none rule, all other field rules are redundant.

Without it, all other permissions don't count. The diagram in the documentation about the ACL processing order feels incorrect to me - it claims, fields rules are processed before table rules (which may be true) but my experimentation has shown:

if there's no table rule then all field rules are blocked
it's possible to have a table rule and no field rules and access is still granted

This suggests to me that - logically - table rules are processed first, then field rules to ascertain what level of access a user has to the table contents.

sanker sanal wrote:

Hi Dave

In my case only the created_by should be readable for the ITIL users, rest of the fields should be hidden. What should be the step that has to be followed?

Are you saying that those with the ITIL role should only see the "created_by" field and nothing else? Are there any other ACLs on this table?

It may help to create yourself a security model - a diagram depicting:

what the object is (field, table, etc)
what level of access is required
what role is granted it (who)

Proper design is the key to good implementation. At present your requirements feel vague; clarify those then building it should be fairly easy.

vladimircheresh · ‎03-01-2018

Hi Sankar,

Have you found solution how to enable access only to certain fields to a user with specific role.

I am observing the same behaviour and tried all compination.

table.none - must be there as give access to records

table.field - when enabled user still have access to all fields.

Ripu Daman1 · ‎04-05-2018

Hi,

Have you checked there are no other ACLs providing user access to table.fields? try the debug ACL option as well and it will tell you exactly why the user is getting access to a field or not. Below article will certainly be useful.

https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/contextual-security/concept/c_AccessControlRulesDebug.html

Let me know if it still doesn't resolve your issue. Thanks.

Ankur Bawiskar · ‎03-02-2020

Hi Sanker,

Any update on this?
Can you mark my answer as ✅ correct, 👍 helpful if you were able to achieve the requirement. This helps in removing this question from unanswered list and helps users to learn from your thread. Thanks in advance.

Regards
Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader