- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-23-2024 02:05 AM
This is not a question, but since only a few people can create blogs or articles, I am putting it here.
With the new Xanadu release, the 'deny-unless' ACL is introduced. When I was checking on that feature, I noticed a new field on the ACL form: 'applies_to'. This field seems to have the exact same possible entries as the 'conditions' field and after lots of waiting, ServiceNow provided me the answer on the difference. It is not in the release notes, because "it's not a major feature worthy of being in there", but since it can cause lots of confusion, I requested it to be added. Hopefully they will.
The explanation:
An ACL is created to run on a table, a record or a field (i.e. incident, incident.* or incident.field).
- 'applies_to' determines whether the ACL applies to records, data condition is evaluating the ACL that is already applied. The system checks on the table and applies to to see if the ACL needs to be evaluated for the conditions. This makes for a more granular defining of ACL's.
- 'applies_to' specifies if the ACL affects to a specific record. If it's not set (empty), the ACL will apply to all records.
- Data 'condition' results in the ACL evaluation either allowing or blocking access, based on if it matches or not.
It will be more clear when using an example (especially check out scenario 3):
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
| INC 3 | 1 | UK | User A |
| INC 4 | 3 | UK | User B |
ACL Scenario 1
Table = incident
Applies_to: location is NL
Condition: assigned_to is dynamic me
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
ACL Scenario 2
Table = incident
Applies_to: assigned_to is dynamic me
Condition: location is NL
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 3 | 1 | UK | User A |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
NOTE: Selected records on which the ACLs were enforces are different for both ACLs, however, they both can achieve same result based on how the applies_to and data conditions are configured
ACL Scenario 3
Table = incident
Applies_to: location is NL AND assigned_to is dynamic me
Condition: empty
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
Allowed to see the record
| Number | Priority | Location | Assigned to |
This will deny access to the data, because there is no condition to be evaluated
ACL Scenario 4
Table = incident
Applies_to: empty
Condition: location is NL AND assigned_to is dynamic me
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
| INC 3 | 1 | UK | User A |
| INC 4 | 3 | UK | User B |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
Solved! Go to Solution.
- Labels:
-
ACL
-
Release Notes
-
Security
-
Xanadu
- 6,066 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-23-2024 02:06 AM
I hope this explanation will help anyone running into the same questions I had on this new field.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-23-2024 02:06 AM
I hope this explanation will help anyone running into the same questions I had on this new field.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-11-2024 09:36 AM
@Mark Manders , curious to how you differentiate between "applies to" and "enforced". I think I have an idea, but curious to hear it from you. Are you talking about the stage in server processing where the acl is actually checked and applied?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-13-2024 04:22 AM
What do you mean? Applies to is a new field on the form, coming with Xanadu, as written above. What do you mean with 'enforced'? It one of the things that is checked to see if the ACL should allow or deny access to a certain table/record/field.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-26-2024 02:35 PM
So what I am learning from scenario 3 is that if there is an Applies-To condition but no Data-Condition condition the result will always be to deny? I am not sure these scenarios are helping me understand it. There are examples in OOTB Xanadu where there is an Applies-To condition but no Data-Condition condition.
