ACL control of function fields

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ACL control of function fields

    Starting in the Yokohama release, ServiceNow enhanced access control for function fields by requiring users to have access not only to the function field itself but also to all contributing fields used in the function's definition. This change improves security by ensuring that users cannot access computed data derived from fields they lack permission to view.

    Show full answer Show less

    Prior to Yokohama (in Rome and earlier), only the function field’s ACL was checked, allowing users with access to the function field to see its value regardless of permissions on contributing fields.

    Access Control Requirements

    • Read Operation: Users must have read access to the function field and to all contributing fields.
    • Reportview Operation: Users must have reportview access to the function field and all contributing fields, plus a role-only read ACL (without conditions or scripts) granting access.

    Practical Implications for Customers

    When configuring ACLs for function fields, ensure that users who need access to these fields also have appropriate permissions on each contributing field. Denial of access to any contributing field results in denial of access to the function field for read and reportview operations.

    For reportview operations, additional strict requirements apply, including role-only ACLs without conditions or scripts, which may affect users’ ability to view reports containing function fields.

    Examples

    • All Fields Allow Access: Users with the required role (e.g., salaryadmin) gain read and reportview access to the function field since all contributing fields allow access.
    • Contributing Field Denies Read Access: If a contributing field denies read access (e.g., bonus field denying salaryadmin role), users are denied read and reportview access to the function field.
    • Contributing Field Has Scripted ACL: Read access to the function field is granted if the user has the required role, but reportview access is denied if any contributing field’s ACL uses a script, as scripted ACLs restrict role-only access required for reportview.

    Key Takeaways

    • Review and update ACLs on contributing fields when implementing function fields to avoid unintended access denials.
    • Understand that reportview operations have more stringent ACL requirements to support reporting security.
    • Plan roles and ACL configurations carefully to ensure users have consistent and appropriate access to function fields and their underlying data.

    When evaluating access to a function field, in addition to checking access to the function field itself, the system also checks access to the function's contributing fields. Contributing fields are those used as the arguments in a given function definition.

    For more information about function fields, see Function field.

    In Rome and earlier, the system simply checks access to the function field itself (as with any other field). If the ACLs on that field allow access, the user receives the resulting value, regardless of whether the user has access to the contributing fields.

    In Yokohama and later, the system also requires access to all contributing fields in order to allow access to the function field. If one or more of the contributing field ACLs refuse access, the function field also refuses access.

    The only operations affected by the new requirement are read and report_view. Report_view has its own additional requirements.

    Operation Description
    read operation A user has read access to a function field only if both of the following are true:
    • The user has read access to the function field.
    • The user has read access to all of the contributing fields used in the function.
    report_view operation A user has report_view access to a function field only if all of the following are true:
    • The user has report_view access to the function field.
    • The user has report_view access to each of the contributing fields.
    • There is a role-only read ACL without conditions and without a script, and the user has that role.
    • The user has role-only read access to the contributing fields, such that only ACLs without condition or script can allow.

    Examples

    Given:
    • Table: salary
    • Columns: base, bonus, total (all are Integers in this example)
    • Function field: The total column is marked as a function field, with function definition glidefunction:add(base, bonus).
    • Contributing fields: base and bonus, since they're used in the function definition
    • Roles: salary_admin, bonus_admin
    Table 1. Example 1: All fields allow access
    ACLs Result
    total, base, bonus: read and report_view for role salary_admin, with no conditions or scripts A user with the salary_admin role is granted read and report_view access to total because they have the required role.
    Table 2. Example 2: Contributing field refuses read access
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role salary_admin , with no conditions or scripts
    • bonus: read for role bonus_admin, with no conditions or scripts
    		 A user with the salary_admin role is refused read and report_view access to total, because bonus refuses read access to their role.
    Table 3. Example 3: Contributing field ACL has script
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role bonus_admin, with no conditions or scripts
    • bonus: read for role salary_admin, with a script (note that it doesn't matter what's in the script, only that it's there)
    		 A user with the salary_admin role is granted read access to total, because they have the required role for all fields.

    But the same user with the salary_admin is refused report_view access, because the read ACL with the script refuses access by default for this case, even though they have the required role.