Application of table.* ACL to records thar do not fit ACL condition

Rafael Pinto · 3 weeks ago

Hello. When trying to understand how ACL works, I built the following scenario:

Table: u_test_data

Fields: u_type, u_field_1, u_field_2, u_field_3, u_field_4; all of type string

Roles: test_data_manager, test_data_user

Both roles have write permission in the table (table.none ACL rule). I have two field-level rules for the write operation:

table.*: users with the test_data_manager role can edit all fields on the table

table.u_field_2: users with the test_data_user role can edit u_field_2. This ACL masks the table.* ACL.

Abel Tuter has the test_data_user role, while Don Goodliffe has the test_data_manager role.

Expected behavior: Abel can edit only u_field_2. Don can edit all fields EXCEPT u_field_2.

Result: OK.

So far, so good. However, I added a condition in the "Applies to" field in the table.* ACL. It only applies to records if the u_type field has the value special.

My expectation, at least from what I thought and from what I learned from the ServiceNow materials would be the following behavior: in a record where the field u_type has the value special, the table.* ACL would apply and the beavior would be as before: Abel can edit only u_field_2, Don can edit everything except for u_field_2; however, in any other record, the table.* rule would not apply, and both users would be able to edit all fields. However, when I access a record in which u_type is not special, Abel cannot edit the fields, except for u_field_2.

Does anyone know why the system behaves like this. At least from my point of view, the table.* rule should be disregarded, since this record does not fit into the ACL's "Applies to". I looked for advanced topics on ACLs, but could not find anything.

Thank you.

Chaitanya ILCR · 3 weeks ago

Hi @Rafael Pinto ,

This is a expected Behavior. ACL are meant for the Access provision.

ACLs are executed from most specific to most generic

in this case table.* is the is 2nd most specific after the table.field acl and when it's evaluated even though there is applies to condition the system looks for other ACLs which provides access to all the fields like this one if the ACL doesn't exists it's different case but since there is an ACL (either it applies to it or not it's a secondary thing ) system looks for other ACLs to grant Access (ACL are meant for granting access (Allow if))

you can check use the Access Analyzer to debug this

you can do 2 things

In the table.* ACL write a script by removing the applies to and check the condition in the script and make a decision for those records and others set it as true

if (current.u_type == 'special') {
    return (gs.hasRole('addYourRoleHere') || gs.hasRole('addYourRoleHere') | )

} else {
    return true;
}

or

create a denyUnless ACL to deny the access table.* for those specific records under the role condition and have table.* Allow if without any condition

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

View solution in original post

Tanushree Maiti · 3 weeks ago

Hi @Rafael Pinto

Create another table.*
Name: table.*
Requires Role: test_data_user
Condition: u_type is NOT special (or leave condition blank)
Description: Allows everyone

Let us know whether you are getting expected result or not.

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Chaitanya ILCR · 3 weeks ago

Hi @Rafael Pinto ,

This is a expected Behavior. ACL are meant for the Access provision.

ACLs are executed from most specific to most generic

in this case table.* is the is 2nd most specific after the table.field acl and when it's evaluated even though there is applies to condition the system looks for other ACLs which provides access to all the fields like this one if the ACL doesn't exists it's different case but since there is an ACL (either it applies to it or not it's a secondary thing ) system looks for other ACLs to grant Access (ACL are meant for granting access (Allow if))

you can check use the Access Analyzer to debug this

you can do 2 things

In the table.* ACL write a script by removing the applies to and check the condition in the script and make a decision for those records and others set it as true

if (current.u_type == 'special') {
    return (gs.hasRole('addYourRoleHere') || gs.hasRole('addYourRoleHere') | )

} else {
    return true;
}

or

create a denyUnless ACL to deny the access table.* for those specific records under the role condition and have table.* Allow if without any condition

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Rafael Pinto · 3 weeks ago

Thank you very much! The script is somehow straightforward, but I dod not think about it.

From your reply and from some tests I performed, I came to the following conclusion, to the best of my knowledge: if a table.* exists but does not apply to a certain record, the system will block access to all fields (except for those which eventually have a table.field rule, which masks the table.* rule because it is more specific) if it does not find another table.* rule that applies to that record and whose conditions are fulfilled.