Hello. When trying to understand how ACL works, I built the following scenario:

Table: u_test_data

Fields: u_type, u_field_1, u_field_2, u_field_3, u_field_4; all of type string

Roles: test_data_manager, test_data_user

Both roles have write permission in the table (table.none ACL rule). I have two field-level rules for the write operation:

table.*: users with the test_data_manager role can edit all fields on the table

table.u_field_2: users with the test_data_user role can edit u_field_2. This ACL masks the table.* ACL.

Abel Tuter has the test_data_user role, while Don Goodliffe has the test_data_manager role.

Expected behavior: Abel can edit only u_field_2. Don can edit all fields EXCEPT u_field_2.

Result: OK.

So far, so good. However, I added a condition in the "Applies to" field in the table.* ACL. It only applies to records if the u_type field has the value special.

My expectation, at least from what I thought and from what I learned from the ServiceNow materials would be the following behavior: in a record where the field u_type has the value special, the table.* ACL would apply and the beavior would be as before: Abel can edit only u_field_2, Don can edit everything except for u_field_2; however, in any other record, the table.* rule would not apply, and both users would be able to edit all fields. However, when I access a record in which u_type is not special, Abel cannot edit the fields, except for u_field_2.

Does anyone know why the system behaves like this. At least from my point of view, the table.* rule should be disregarded, since this record does not fit into the ACL's "Applies to". I looked for advanced topics on ACLs, but could not find anything.

Thank you.