What is the order of evaluation of record ACL?

Manu4
Tera Contributor

‎01-08-2020 04:51 AM

What is the order of evaluation or record ACL?

Is it like, 1. Match object against table level ACL rule 

2. Match object against field level ACL rule

 

(OR)

1. Match object against field level ACL rule

 2. Match object against table level ACL rule 

 

 

 

0 Helpfuls
  • 12,390 Views
5 REPLIES 5

Ankur Bawiskar
Tera Patron
Tera Patron

‎01-10-2020 08:57 PM

Hi Manu,

ACLs are well explained in below links:

https://community.servicenow.com/community?id=community_question&sys_id=0184c3a9dbd8dbc01dcaf3231f96...

https://community.servicenow.com/community?id=community_question&sys_id=65ac588bdbb8eb08d58ea345ca96...

Mark Correct if this solves your issue and also mark 👍 Helpful if you find my response worthy based on the impact.
Thanks
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Himanshu Dubey
Giga Guru

‎01-10-2020 10:50 PM

Hi Manu,

The ACL is executed in the below order:

  • The condition must evaluate to true.
  • The script must evaluate to true or return an answer variable with the value of true.
  • The user must have one of the roles in the required roles list. If the list is empty, this condition evaluates to true.
  • [Record ACL rules only] The matching table-level and field-level ACL rules must both evaluate to true.

 

Please mark correct and helpful if it helps in any way

Thanks & Regards

Himanshu Dubey

AbhishekGardade
Giga Sage

‎01-11-2020 03:57 AM

Hello Manu,

Record ACL rules are processed in the following order:

  • Match the object against field ACL rules.
  • Match the object against table ACL rules.

This processing order ensures that users gain access to more specific objects before gaining access to less specific ones.

A user must pass both field and table ACL rules in order to access a record object.
  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.

Reference :

https://docs.servicenow.com/bundle/helsinki-platform-administration/page/administer/contextual-secur...

Please mark as Correct Answer and Helpful, if applicable.
Thank You!
Abhishek Gardade

Thank you,
Abhishek Gardade

Meera S
Tera Contributor
In response to AbhishekGardade

‎03-12-2024 06:59 AM

Hi @AbhishekGardade,

 

I think you have mentioned in the reverse order.

Record ACL rules are processed in the following order:
  • Match the object against table ACL rules.
  • Match the object against field ACL rules.

This processing order ensures that users gain access to more specific objects before gaining access to more general objects. A user must pass both table and field ACL rules to access a record object.

  • If a user fails a table ACL rule, the user is denied access to all fields in the table, even if the user passes a field ACL rule.
  • If a user passes a table ACL rule, but fails a field ACL rule, the user cannot access the field described by the field ACL rule.




0 Helpfuls