In which order roles gets evaluation to give real permission

Go to solution
wakespirit
Kilo Guru

‎11-09-2018 12:00 AM

Dear all,

I am new to service now and practicing using sefl pack lab and one point I am confuse and hard to follow is that based on roles.

i have understand that you can apply ACL to fields and rows for data but also to users.

When all the roles are cascading each other, in which order they are evaluated ?

is tehre a good exemple to understand this ?

Thanks for help

regards

Labels:
0 Helpfuls
  • 1,383 Views
1 ACCEPTED SOLUTION

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee

‎11-09-2018 10:35 AM

This is the execution order:

  • The condition must evaluate to true.
  • The script must evaluate to true or return an answer variable with the value of true.
  • The user must have one of the roles in the required roles list. If the list is empty, this condition evaluates to true.
  • [Record ACL rules only] The matching table-level and field-level ACL rules must both evaluate to true.

 

The sequence is ROLES first, then condition, then script. Roles are cached so it's always more efficient to use roles whenever possible.  Any role that matches will be OK.  Doesn't matter which is first.

 

 

View solution in original post

3 REPLIES 3

Go to solution
Ahmmed Ali
Mega Sage

‎11-09-2018 12:29 AM

What do you mean by "When all the roles are cascading each other" ?

details would be helpful to suggest/answer on the query.

 

Thanks,

Ali

If I could help you with your Query then, please hit the Thumb Icon and mark my answer as Correct!!

Thank you,
Ali
0 Helpfuls

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee

‎11-09-2018 10:35 AM

This is the execution order:

  • The condition must evaluate to true.
  • The script must evaluate to true or return an answer variable with the value of true.
  • The user must have one of the roles in the required roles list. If the list is empty, this condition evaluates to true.
  • [Record ACL rules only] The matching table-level and field-level ACL rules must both evaluate to true.

 

The sequence is ROLES first, then condition, then script. Roles are cached so it's always more efficient to use roles whenever possible.  Any role that matches will be OK.  Doesn't matter which is first.

 

 

Go to solution
nareshbh
Kilo Explorer

‎12-04-2019 09:41 PM

The sequence is ROLES first, then condition, then script. Roles are cached so it's always more efficient to use roles whenever possible.

 

 Docs: Access control rules

 

Docs: Contextual security  

 

Security Best Practices - ServiceNow Wiki

0 Helpfuls