Does the ACL doc state that the user must fail all table ACL's in order to be denied access?

Go to solution
David Dietrich1
Tera Expert

‎10-25-2023 06:19 AM

ServiceNow ACL documentation describes behavior that differs from what I'm seeing in my environment. ACL documentation states: "If a user fails all table ACL rules, the user cannot access any fields in the table. If a user passes a table ACL rule, the system then evaluates the field ACL rules." (ACL rule types (servicenow.com)).

 

However, the behavior I am seeing is that if:

  1. There is a table ACL that matches the table name
  2. There is a wildcard ACL that matches any table name (*)
  3. The table ACL denies access.
  4. The wildcard ACL allows access.

...then ServiceNow stops evaluating ACL rules when it matches the table ACL and denies access. Based on the above documentation, I expected ServiceNow to continue searching for an ACL that would allow access. Why does the ACL doc state that the user must fail all table ACL's in order to be denied access, when in reality, the user only needs to fail one table ACL to be denied access?

Labels:
0 Helpfuls
  • 539 Views
1 ACCEPTED SOLUTION

Go to solution
sushantmalsure
Mega Sage
Mega Sage

‎10-25-2023 06:35 AM

Suppose you have 3 table level ACLs on incident table:

scenario 1: If 1 ACL denies access and 2 ACLs allows the access: then user gets the access of said operation

scenario 2: if all ACLs denies access for said operation then user will be denied the access.

 

Now here comes the Scenario of widcard table (*)

If there is no table level ACL is present for incident table then ServiceNow will evaluate * ACL

if that ACL is denied access then user will not get access or wise versa.

So if you have overridden * ACLs by creating table specific ACL then * ACL will not be evaluated.

This is what I have learned , may be useful to understand ..

 

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.
Regards,Sushant Malsure

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
sushantmalsure
Mega Sage
Mega Sage

‎10-25-2023 06:35 AM

Suppose you have 3 table level ACLs on incident table:

scenario 1: If 1 ACL denies access and 2 ACLs allows the access: then user gets the access of said operation

scenario 2: if all ACLs denies access for said operation then user will be denied the access.

 

Now here comes the Scenario of widcard table (*)

If there is no table level ACL is present for incident table then ServiceNow will evaluate * ACL

if that ACL is denied access then user will not get access or wise versa.

So if you have overridden * ACLs by creating table specific ACL then * ACL will not be evaluated.

This is what I have learned , may be useful to understand ..

 

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.
Regards,Sushant Malsure
0 Helpfuls

Go to solution
David Dietrich1
Tera Expert
In response to sushantmalsure

‎10-25-2023 08:12 AM

It seems that although the behavior your describe is not explained anywhere in the text of the ACL documentation, it is implied by the acl-matching diagram on the ACL Rule Types doc.acl-matching

0 Helpfuls