Access Control List – ACL

Overview

An access control is a security rule defined to restrict the permissions of a user from viewing and interacting with data. Most security settings are implemented using access controls.

They execute when attempting to access any ServiceNow table and may be set at the row or column level.

These rules restrict ServiceNow-specific and CRUD operations.

In addition to restricting CRUD operations, access control rules can restrict ServiceNow-specific operations on tables and fields.

ServiceNow operation examples include:

Execute: user cannot execute scripts on a record or UI page.

edit_ci_relations: user cannot define relationships between Configuration Item [cmdb_ci] tables.

save_as_template: controls the field that should be saved when a template is created.

report_on: user cannot create reports on the object.

personalize_choices: user cannot right-click a choice list field and select Configure Choices.

ACL evaluation process

Process order for record ACL rules

A user must pass both field and table ACL rules in order to access a record object.

  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.

Access control definition: rule types

How to Determine If a User Has Permissions to Create, Read, and Write on an Extended Table

Description

ServiceNow uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules allow users to update records using API protocols such as web services. If a user does not have the necessary permissions to create, read, or write on an extended table, this can pevent the New or Edit buttons from appearing on a related list or unexpected results. 

Procedure

To find out if the issue is caused by write or create access, turn on Security debugging for this session. The Debug Security Rules module places a debug icon on each field of a form. Point to the icon to see if there are any debug messages for the associated element. Click the icon to expand details about read and write access. The Debug Security Rules module is very helpful when you are using ACLs to control access to records and fields.

 

Note:

To create or edit ACL rules, you must elevate privileges to the security_admin role.

Impersonation can simplify debugging ACL rules. First enable ACL debugging, then impersonate another user to see what ACL rules the user passes and fails.

To verify ACL rules are not preventing the New and Edit button from appearing on a related list:

  • Navigate to System Security > Debug Security Rules to enable ACL rule debugging.
  • Reproduce the issue as the affected user.
  • Scroll down to the bottom of the form to view the ACL rule output messages. 

The output message lists the ACL rule name, the permissions required, and the evaluation result (pass or fail).

  • Review the Debug Output and search the table name and find the security rule output. 

    In this example, we are investigating the [task_sla] table, so search for the term “task_sla.” We find a number of red text security debug output that indicate the rule failed. Therefore, the user does not have the permissions to create, write, or delete records in the selected table.

 

 

15 COMMENTS

  1. How do you make a site look this awesome. Email me if you get the chance and share your wisdom. Id be thankful!

  2. if i have just signed up but I actually would really like to see a specific letter (Lorelei Lee’s) is there some place i’m able to possibly look at it or obtain a copy somehow?

  3. Hey there, You have done a great job. I will definitely digg it and personally suggest to my friends.
    I’m sure they will be benefited from this web site.

  4. * URGENT *

    Hi Ranjay,

    Hats off to you for such great effort and putting together a great professional knowledge base. I am overwhelmed by your knowledge and details that you cover in your videos.

    I have an urgent question/request for you and if you could either direct me to place where I can get such help or you can explain to me.

    The question is hereunder:

    Question: The company where I am starting my job as PM for ServiceNow, I have been told that they have their ITAM program already setup and gone through some implementation and integration work.

    Right now, the main challenge that they are facing is actually trying to get a data connection, data model, and things like that to configure properly, so that the team could leverage the tool.

    Also the other challenges are that a lot of CMDB data points, how they are connected to entitlements and how the software models are recognized within the module, and all of the different data sources are come in.

    These are all key requirements right now that they are trying to work through. Or, we could say that these are the major challenges at the moment.

  5. Thanks for your valuable content. I’m confused about ACL’s before to your tutorial now I’m in a better position

LEAVE A REPLY

Please enter your comment!
Please enter your name here