Announcing the Global SNUG Board of Directors. Learn more here

Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Evaluating Row level and Field level ACLs

john_garrisi
ServiceNow Employee
ServiceNow Employee
‎01-14-2015 01:29 PM

As software people, we often think in Boolean expressions:   Things are black or white, true or false, red or green. The same goes for access permissions in ServiceNow. You either have access or you do not, there are no grey areas.

I often hear "I have given the ITIL role this access, why does it not work?"

When we run the Debug Security it tells us "yes" or "no" on access rights.   However, understandings the grey areas may prevent some issue from cropping up or help solve issues when they occur while evaluating row level and field level Access Control Lists (ACLs).

Here are the basics of evaluating ACLs:

  1. An ACL record has three control sections that all have to evaluate to True.   In other words, the sections (condition, script, and requires role) are "ANDed" together.
  2. There are two types of ACLs: Row level and Field level. The difference between Row level and Field level is quite simply the dot.  
    • Any ACL that has a dot in the field definition, such as task.number, task.* is a Field level ACL.  
    • A Row level ACL will have no dot, such as task, incident etc. In the detail view, these show as Incident —None— or Task —None—.

Now that we know the difference between row level and field level, how are they evaluated? The answer is best explained with a picture:

row field acls servicenow.jpg

This means that it will evaluate:

  • all row level ACLs combined with the logical OR
  • all field level ACLs combined with the logical OR
  • the results of those will be combined with the logical AND


An ACL that allows you to write on any row level, and denies access on all field levels, will not allow access to the record, due to the AND statement between row level and field level.   Only an ACL that allows you to write on any row level, allows you to write on any field level will allow write ability to the record.

Assuming the row level ACLs evaluate to True, what if some field level ACLs evaluate to true and some do not?   The answer is that it depends on the type of field level ACLs.   Those that are read and evaluate to True will allow the field to display.   Those that are read and evaluate to False will prevent the field from displaying. If the read ACL evaluates to true and the write ACL evaluates to false, the field will display in read only mode.

Preview file
75 KB
  • 22,901 Views
9 Comments
Popular Blog Posts