Why Can Users Without Roles See the “New” Button in Data Table Widget?

天宇石 · 3 weeks ago

I’m using the widget-data-table in the Service Portal to display a list of Incidents.
However, users without any roles can still see the “New” button and are able to create new Incident records.

Why is this happening, and how can I fix it?

スクリーンショット 2026-03-16 174840.png

スクリーンショット 2026-03-16 174739.png

スクリーンショット 2026-03-16 174643.png

Kapil Pawar · 3 weeks ago

We faced a similar issue a few days ago, and based on that experience, we decided not to implement an ACL for this requirement. Instead, we added an alternative solution by hiding the action button on the List widget using CSS, as shown below:

.btn.btn-primary.btn-sm.m-l-xs.ng-scope {
display: none !important;
}

View solution in original post

Ankur Bawiskar · 3 weeks ago

@天宇石

the KB clearly says if explicit role plugin is not present then no role will be added in that roles

In your current situation the ACL is allowing that user and hence they are able to see NEW button

In script you can check and add your logic.
note: since you are updating OOTB ACL it will be skipped during upgrade

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader

suraj sengar · 3 weeks ago

@天宇石

Users without roles can see the “New” button in the Service Portal Data Table widget because the widget does not enforce role checks by default — it simply mirrors the platform list view behavior. To fix this, you need to explicitly configure the widget to hide or disable the “New” button using the “Omit new button” option or by customizing user criteria/ACLs.

Why This Happens
The Data Table widget in Service Portal is designed to replicate the platform list view.

By default, the “New” button is visible to all users, regardless of roles, because the widget doesn’t automatically check ACLs or role restrictions.

This means even users without ITIL or other roles can click “New” and create records.

How to Fix It
Use the “Omit new button” option

In the widget configuration, enable Omit new button.

This removes the “New” button entirely from the Data Table view.

Users will then need to use the Service Catalog or other guided processes to create records.

Apply ACLs (Access Control Lists)

Ensure the create ACL on the Incident table requires the ITIL role (or whichever role you want).

This prevents unauthorized users from creating records, even if the button is visible.

Without ACLs, the button may still allow record creation.

Customize the Widget

If you want finer control, you can edit the widget’s client script or HTML template to hide the “New” button based on user roles.

Example: add a check for gs.hasRole('itil') before rendering the button.

Alternative Approach

Instead of exposing the Incident table directly, guide users through the Service Catalog.

This ensures they follow the proper request process rather than creating incidents directly.
Refer - https://www.servicenow.com/community/servicenow-ai-platform-blog/removing-the-new-button-from-servic...

Kapil Pawar · 3 weeks ago

We faced a similar issue a few days ago, and based on that experience, we decided not to implement an ACL for this requirement. Instead, we added an alternative solution by hiding the action button on the List widget using CSS, as shown below:

.btn.btn-primary.btn-sm.m-l-xs.ng-scope {
display: none !important;
}