Skip to main content

Access Control List (ACL) in ServiceNow

First, Let's understand what is Access Control List (ACL) in ServiceNow?

Access Control Lists are the process by which ServiceNow provides granular security for its data and can be applied to individual records, as well as fields within those records. Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. 

All access control list rules specify: 

1.> The object and operation being secured 

2.>The permissions required to access the object

There are some important ACL record operation types  -

create : Enables users to insert new records (rows) into a table.

read : Enables users to display records from a table.

write : Enables users to update records in a table.

delete : Enables users to remove records from a table or drop a table.

edit_task_relations : Enables users to extend the Task [task] table.

edit_ci_relations : Enables users to extend the Configuration Item [cmdb_ci] table.

save_as_template : Enables users to save a record as a template.

add_to_list : Prevents users from viewing or personalizing specific columns in the list mechanic. Note: Conditions and scripts are not supported.

list_edit : Enables users to update records (rows) from a list.

report_on : Enables users to report on tables. This operation is also valid for field ACL rules.

Use case Implementation (Real time scenario) -

UseCase - Logged in User should be part of group “ACME Support” to edit Category ACL

Solution - Create create & write operation type ACL with record type & mentioned the below code of snippet in Script :

var answer;

if(gs.getUser().isMemberOf('ACME Support'))  {  

answer=true;   }

else  {

answer=false;   }

What is ACL evaluation process ?

An ACL rule only grants a user access to an object if the user meets all of the permissions required by the matching ACL rule. 

The condition must evaluate to true. 

The script must evaluate to true or return an answer variable with the value of true. 

The user must have roles from the required roles list. 

The matching table-level and field-level ACL rules must both evaluate to true.

Record ACL rules are processed in the following order:

Match the object against table ACL rules. 

Match the object against field ACL rules. 

A user must pass both table and field ACL rules to access a record object. 

If a user fails a table ACL rule, the user is denied access to all fields in the table, even if the user passes a field ACL rule. 

If a user passes a table ACL rule, but fails a field ACL rule, the user cannot access the field described by the field ACL rule.

Table ACL rules

The user must first pass the table ACL rule. Since the base system includes STAR (*) table ACL rules that match every table, the user must always pass at least one table ACL rule. 

Table ACL rules are processed in the following order: 

Match the table name. For example, incident. 

Match the parent table name. For example, task. 

Match any table name (*). For example, *. If a user fails all table ACL rules, the user cannot access the fields in any table. If a user passes a table ACL rule, the system then evaluates the field ACL rules.

Field ACL rules

After a user passes a table ACL rule, field ACL rules are processed in the following order: 

Match the table and field name. For example, incident.number. 

Match the parent table and field name. For example, task.number. 

Match any table (*) and field name. For example, *.number. 

Match the table and any field (*). For example, incident.*. 

Match the parent table and any field (*). For example, task.*. 

Match any table (*) and any field (*). For example, *.*.

ACL video link

ACL Part 1

ACL Part-2

ACL Part-3

Comments

  1. SyedJune 24, 2023 at 2:13 AM

    Hello, Can you please do vedios on integration. You vedios are great and very helping. Thanks in advance.

    ReplyDelete

Post a Comment

Popular posts from this blog

Difference b/w After & Async Business Rule in ServiceNow

Let's try to understand difference b/w  After & Async Business Rule & some examples on Real time scenario of After Business Rule & Async Business Rule : 1.> After BR executes synchronously (It will wait for a result, once result is ready & get displayed then user will get control to do anything, user has to wait) but Async BR executes asynchronously (user will get control immediately, it will not halt the user and result will get displayed when its ready or get response from system, it will be executing in the background as per system scheduler). 2.>After BR is used to update information on related objects that need to be displayed immediately such as GlideRecord queries etc. whereas Async BR is used to update the information on related objects that do not need to be displayed immediately such as calculating metrics & SLA etc. 3.>We can use current & previous objects but We can’t use previous object in Async rule & current ob...
Post a Comment
Read more

How to use getreference() with callback function in client Script | #ServiceNow

What is the use of getReference() ? getReference() gets the record used in another reference field. For example you have the requested_for (reference to the sys_user table) and with getReference, you will retrieve the User record and save this as a gliderecord into a variable. Why we use callback function with getReference?  callback function allow you to use asynchronous processing with your getReference call. Example: FetchCompany&phoneNo function onChange(control, oldValue, newValue, isLoading) {    if (isLoading || newValue == '') {       return;    }  var requester_user = g_form.getReference('requested_for', callback); function callback(requester_user) { g_form.setValue('email_id',requester_user.email); g_form.setValue('manager', requester_user.manager); } }
Post a Comment
Read more

ServiceNow Interview Questions - real time

Let's see some ServiceNow Scenario based Interview Questions & Answers here, 1.> How to fetch latest 10 incident records ? var grIncident = new GlideRecord('incident');  gr.orderByDesc('sys_created_on');  gr.setLimit(10);  gr.query();  while (gr.next()) {  gs.print('check the :'+ grIncident.number);   } 2.>How can you populate caller_id in short Description on Problem form? Write Onchange client script on Problem table on change of caller Id field  var caller =g_form.getValue(‘caller_id’);  g_form.setValue(‘short_description’, caller); 3.>How to send notification to the user who is member of assigned group? You can write the below code in Advanced condition of Notification gs.getUser().isMemberOf(current.assignment_group); 4.> How can you populate the only users whose department is “Finance” in caller field on Incident form. Use Simple Reference Qualifier & select “department is “Finance”. You can write the code ...
Post a Comment
Read more