- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2024 02:05 AM
This is not a question, but since only a few people can create blogs or articles, I am putting it here.
With the new Xanadu release, the 'deny-unless' ACL is introduced. When I was checking on that feature, I noticed a new field on the ACL form: 'applies_to'. This field seems to have the exact same possible entries as the 'conditions' field and after lots of waiting, ServiceNow provided me the answer on the difference. It is not in the release notes, because "it's not a major feature worthy of being in there", but since it can cause lots of confusion, I requested it to be added. Hopefully they will.
The explanation:
An ACL is created to run on a table, a record or a field (i.e. incident, incident.* or incident.field).
- 'applies_to' determines whether the ACL applies to records, data condition is evaluating the ACL that is already applied. The system checks on the table and applies to to see if the ACL needs to be evaluated for the conditions. This makes for a more granular defining of ACL's.
- 'applies_to' specifies if the ACL affects to a specific record. If it's not set (empty), the ACL will apply to all records.
- Data 'condition' results in the ACL evaluation either allowing or blocking access, based on if it matches or not.
It will be more clear when using an example (especially check out scenario 3):
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
| INC 3 | 1 | UK | User A |
| INC 4 | 3 | UK | User B |
ACL Scenario 1
Table = incident
Applies_to: location is NL
Condition: assigned_to is dynamic me
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
ACL Scenario 2
Table = incident
Applies_to: assigned_to is dynamic me
Condition: location is NL
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 3 | 1 | UK | User A |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
NOTE: Selected records on which the ACLs were enforces are different for both ACLs, however, they both can achieve same result based on how the applies_to and data conditions are configured
ACL Scenario 3
Table = incident
Applies_to: location is NL AND assigned_to is dynamic me
Condition: empty
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
Allowed to see the record
| Number | Priority | Location | Assigned to |
This will deny access to the data, because there is no condition to be evaluated
ACL Scenario 4
Table = incident
Applies_to: empty
Condition: location is NL AND assigned_to is dynamic me
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
| INC 3 | 1 | UK | User A |
| INC 4 | 3 | UK | User B |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
Solved! Go to Solution.
- Labels:
-
ACL
-
Release Notes
-
Security
-
Xanadu
- 6,071 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2024 02:06 AM
I hope this explanation will help anyone running into the same questions I had on this new field.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
@Mark Manders thanks for writing this up, it helps, I have query though, in this case
ACL Scenario 1
Table = incident
Applies_to: location is NL
Condition: assigned_to is dynamic me
Records on which ACL will be enforced
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
Allowed to see the record
| Number | Priority | Location | Assigned to |
| INC 1 | 1 | NL | User A |
| INC 2 | 2 | NL | User B |
what will happen to records where location is UK, will this ACL fail the execution for those?
I tried a similar use case in my instance, even though ACL is not applied, I was not able to have edit access on records where location is UK, I need to write a new ACL with applies to: Applies_to: location is not NL to have an edit access to those records.
Please clear my understanding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Since no table just contains a single ACL, it hard to say, because lots of other things can be affecting the access. These ACLs apply to the Incidents that are on location NL and with that will provide more granular access on top of the more general ACLs to tables. If it is NL, only the assigned to has access.
Check your access analyzer for what's exactly blocking it. You mention the ACL wasn't applied, so this ACL is not blocking your access.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
