Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

Decision Types in ACLs

vodnalar26
Tera Contributor

12 hours ago

Hi everyone,

I’m working with ACLs on a custom table and noticed unexpected behavior when switching the Decision Type.

  • When I configure the ACL with Decision Type = "Allow if", it works correctly based on the condition I’ve defined.

  • However, when I change the Decision Type to "Deny Unless" using the same condition, it does not behave as expected.

My requirement is to restrict write access based on a specific condition (e.g., allowing edits only when a field contains certain values and for users with a specific role).

I would like to understand:

  • Why does the ACL work with "Allow if" but not with "Deny Unless"?

  • Are there differences in how ServiceNow evaluates these decision types in combination with other ACLs (like table-level or wildcard ACLs)?

  • What is the recommended approach to implement such conditional access properly?

  • Here I am attaching the images of that what I have given

Any insights or best practices would be greatly appreciated.

Thanks in advance!

Preview file
29 KB
Preview file
239 KB
0 Helpfuls
  • 300 Views
2 REPLIES 2

Vishal Jaswal
Giga Sage

6 hours ago

Hello @vodnalar26 

HR has arranged lunch in the office cafeteria and have informed the security guard at the gate to allow only those who have:
1. Company's ID card/badge.
2. Allowed members list with names of specific employees.

So, security guard is going to use "Deny Unless" as both of the above conditions as AND has to be true.

Let's say the security guard is in a good mood and doesn't care about validating the list, then security guard is going to use "Allow If" as one of the condition has to be true. You have a company badge, well be my guest and go on to enjoy your meal.

So, the "Deny Unless" in your scenario is not working because all the ACLs on the target table has to be true. 

I would recommend to go with "Allow If" to meet your requirement here and in parallel learn all the "Deny Unless" so that you can make decision which ACL to go with in near future for any such new requirements.


Hope that helps!
0 Helpfuls

GlideFather
Tera Patron

an hour ago

Ahoy @vodnalar26,

 

the best debugging option for ACLs is Access Analyser:

https://yourinstance.service-now.com/now/access-management/access-analyzer/

 

Screenshot 2026-05-01 at 21.53.31.png

With this tool, you can select a user, a table, a record and a field, to understand how the ACL conditions are evaluated per each operation.

 

Sometimes you want to understand differences between diferent role, so you can also compare permissions.

 

Give this a chance, it can provide you some real good data.

 

PS: isn't your custom table extending any other? It can sometimes take the permissions from the parent or the itil role can be tricky in this, try it with a custom role to confirm that..

_____
Answers generated by GlideFather. Check for accuracy.

0 Helpfuls