ACL control of function fields

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of ACL control of function fields

    This content explains how access control lists (ACLs) govern access to function fields in ServiceNow, specifically highlighting changes introduced in the Zurich release. A function field derives its value from other fields, called contributing fields. The system evaluates access not only to the function field itself but also to all contributing fields involved in its definition.

    Show full answer Show less

    Key Features

    • Access evaluation in Zurich and later: Access to a function field requires read or reportview permissions on both the function field and all its contributing fields.
    • Access evaluation in Rome and earlier: Only the function field’s ACL was checked; access to contributing fields was not required.
    • Operations affected: Only the read and reportview operations enforce the new contributing fields access requirements.
    • Specific conditions for reportview: Users must have role-only read ACLs without conditions or scripts on both the function field and contributing fields.

    Access Requirements per Operation

    • Read: Users must have read access to the function field and all contributing fields.
    • Reportview: Users must have reportview access to the function field and all contributing fields, plus a role-only read ACL without conditions or scripts.

    Practical Examples

    • Example 1: When all fields have read and reportview access granted to a role without conditions or scripts, users with that role can access the function field.
    • Example 2: If a contributing field denies read access to a user’s role, the user is denied access to the function field, even if the function field’s ACL permits access.
    • Example 3: If a contributing field’s ACL includes a script, reportview access can be denied despite role membership, because scripted ACLs do not count as role-only read ACLs without conditions or scripts.

    Implications for ServiceNow Customers

    When configuring ACLs for function fields, ensure that users have appropriate access to all contributing fields to avoid unexpected access denials. Pay special attention to reportview permissions and avoid scripts or conditions in role-only read ACLs for contributing fields if reportview access is needed. This approach helps maintain consistent and secure access to computed values derived from multiple fields.

    When evaluating access to a function field, in addition to checking access to the function field itself, the system also checks access to the function's contributing fields. Contributing fields are those used as the arguments in a given function definition.

    For more information about function fields, see Function field.

    In Rome and earlier, the system simply checks access to the function field itself (as with any other field). If the ACLs on that field allow access, the user receives the resulting value, regardless of whether the user has access to the contributing fields.

    In Zurich and later, the system also requires access to all contributing fields in order to allow access to the function field. If one or more of the contributing field ACLs refuse access, the function field also refuses access.

    The only operations affected by the new requirement are read and report_view. Report_view has its own additional requirements.

    Operation Description
    read operation A user has read access to a function field only if both of the following are true:
    • The user has read access to the function field.
    • The user has read access to all of the contributing fields used in the function.
    report_view operation A user has report_view access to a function field only if all of the following are true:
    • The user has report_view access to the function field.
    • The user has report_view access to each of the contributing fields.
    • There is a role-only read ACL without conditions and without a script, and the user has that role.
    • The user has role-only read access to the contributing fields, such that only ACLs without condition or script can allow.

    Examples

    Given:
    • Table: salary
    • Columns: base, bonus, total (all are Integers in this example)
    • Function field: The total column is marked as a function field, with function definition glidefunction:add(base, bonus).
    • Contributing fields: base and bonus, since they're used in the function definition
    • Roles: salary_admin, bonus_admin
    Table 1. Example 1: All fields allow access
    ACLs Result
    total, base, bonus: read and report_view for role salary_admin, with no conditions or scripts A user with the salary_admin role is granted read and report_view access to total because they have the required role.
    Table 2. Example 2: Contributing field refuses read access
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role salary_admin , with no conditions or scripts
    • bonus: read for role bonus_admin, with no conditions or scripts
    		 A user with the salary_admin role is refused read and report_view access to total, because bonus refuses read access to their role.
    Table 3. Example 3: Contributing field ACL has script
    ACLs Result
    • total, base: read and report_view for role salary_admin, with no conditions or scripts
    • bonus: report_view for role bonus_admin, with no conditions or scripts
    • bonus: read for role salary_admin, with a script (note that it doesn't matter what's in the script, only that it's there)
    		 A user with the salary_admin role is granted read access to total, because they have the required role for all fields.

    But the same user with the salary_admin is refused report_view access, because the read ACL with the script refuses access by default for this case, even though they have the required role.