ACL inactive = access?

Henrik Jutterst · ‎11-08-2017

I just want to confirm something...

I want to restrict users from deleting Configuration Items in CMDB and the screenshot below is from ACL on cmdb_ci table.

If I deactivate this rule, does that mean that all users can delete CI's or that no one can delete a CI since there is no ACL for deleting?

Simon Christens · ‎11-09-2017

Hi Henrik

Its not that simple as ACL's evaluates up in hierachy.

This means that a parent or * ACL might evaluate true if cmdb_ci ACL is inactivated.

The best way forward is to deactivate it, activate "Debug security" and impersonate different users to see if /delete ACL evaluates true or false

The other side of Security is:

http://wiki.servicenow.com/index.php?title=High_Security_Settings#Default_Deny_Property

Default it should be "Deny access" which means that security denies if no ACL's are evaluated to true

Henrik Jutterst · ‎11-09-2017

Thanks Simon for the link. I'll look into it right away.

But let's assume that this is the only ACL rule that trigger on cmdb_ci table and its child tables. If I deactivate this rule, will that result to full access for deleting CIs for all users/roles or will it do the opposite?

Now that I've looked into the link and your later comment below, I see that default is set to Deny Access, and from what I understand then, users will not be able to delete if I deactivate this ACL (in regards to parent ACL and ACL with *).

Jaspal Singh · ‎11-09-2017

Yes, it would allow all users to delete if you have not modified the Default access that is deny.

Henrik Jutterst · ‎11-09-2017

Thanks Jaspal! have a good day!