Security setup: ACL evaluation order – Best Practice

Willem
Giga Sage
Giga Sage

on ‎08-08-2022 08:05 AM

Security setup: ACL evaluation order – Best Practice

You can see here that:

  • 1. The Role evaluation is done first: One or more user roles to the Requires role
  • 2. Then one or more conditions.
  • 3. And finally, a script that evaluates to true or false or sets the answer variable to true or false.

find_real_file.png

The evaluation order looks like this (image from the Docs with added numbers):

find_real_file.png

Knowing this evaluation order gives us the chance to create more efficient ACLs. Thinking of some of the tables and all the records in it, these ACLs evaluate many times, so any efficiency we can achieve multiplies 1000-fold.

Setting up the required roles in such a way that it makes sure only the right roles/people have access, or continue to the next evaluation (the Condition check). People that do not have the right Role will not be granted access; the additional checks will not need to run:

find_real_file.png

If you compare this to a less clearly defined Roles condition, where only the condition or Script determine the access, that needs to evaluate a bit more:

find_real_file.png

⚠️ Note: Although in the title it is called a BESS PRACTISS, it only means it is good to know it’s principle and understand the reasoning. If for any reason deviating from this better fits the purpose, then always do that.

If you have any of your own BESS PRACTISUSS please add/share in the comments.

 

© BESS PRACTISS and BESS PRACTISUSS are trademarked and belong to @Robert Fedoruk 

Preview file
70 KB
Preview file
74 KB
Preview file
81 KB
Preview file
54 KB
Preview file
68 KB
  • 4,709 Views
Comments
Uncle Rob
Kilo Patron
‎08-08-2022 08:19 AM

BESS PRACTISUSS

IndianaJones
Tera Expert
‎09-26-2023 07:09 AM

@Willem 

 

I was on the Servicenow docs website (https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/contextual-security/c...) and was wondering if you knew why the diagram shows the order you have in this post, but then they talk about the evaluation in the opposite order right before it. Seems very confusing to me but wanted to double check with you if their wording is backwards?

 

IndianaJones_0-1695737292582.png

 

D van Heusden
ServiceNow Employee
ServiceNow Employee
‎09-29-2023 05:05 AM

@IndianaJones well spotted. I would follow @Willem's advice here. In the doc there is no numbering of the bullets so strictly speaking the docs are not incorrect. You can give feedback though by using the thumbs up or down option. I did that and reported it. Let's see if it gets updated because we all want people to right ACLs that are effective and transparent.

IndianaJones
Tera Expert
‎09-29-2023 07:54 AM

@D van Heusden 

 

In the creator toolbox episode by ServiceNow at around the 5:14 mark (https://www.youtube.com/watch?v=_-C6NqyUiy0), they talk about the ACLs and this screenshot appears on the screen. Chuck at one point even asks the developer if he had the order wrong since in the debugger shows a different order from what he says in the video. 

 

IndianaJones_0-1695998970804.png

Version history
Last update:
‎08-08-2022 08:05 AM
Updated by:
Giga Sage