Access control list or ACL in ServiceNow helps to control that what data user can access and how he can access it. In other words ServiceNow ACL decides that what all we want (as a ServiceNow Security Admin) user to access in ServiceNow and what all permission a user would have on that data means what type of operations he would do with that data like create, read, update (write) and delete. If you are looking this article, you probably wondering that how to create ACL or how to fix ACL issues. Believe me it is very simple to create and deal with ACL. Here is this article we will discuss access control list in depth along with video demonstration of ServiceNow Access Control List implementation.
Table of Content
- Access Control List ServiceNow
- Access Control Checks (For Granting Permission)
- Types of ACL in ServiceNow
- Difference between table.none and table.* in ACL
- Things to be taken care at table.* and table.field
- ACL script in ServiceNow
- ServiceNow Debug ACL
- ServiceNow ACL Interview Question
- How to Create ACL in ServiceNow (Video Demonstration)
Access Control List ServiceNow
As we discussed above that ACL helps to control that what data in ServiceNow user and access and how he can access it. Means through ACL we can implement Security in ServiceNow like which field should visible to user or not, which field should be read-only or not, user can delete the record or not, user can create the record or not etc. User has to pass set of requirement in order to gain access or permissions to a particular data. Those set of requirement we create in access control list, we define roles, condition and script in ACL. We will talk about all these in detail below.
In this article we discuss thing from ServiceNow admin and ServiceNow developer perspective. So lets begin, the first thing which require to create ACL or to edit ACL in servicenow platform is role, you need security_admin, below we have shared the screenshot which help you to assign this role to yourself.
This security_admin role has a session privileges, means this role will the auto timeout or revoked after some time lets say after 1 hour. So, if it timeout, you can again assign it to yourself to work on ACL. Below are the screenshot which help you to assign this role to you.
Now type access control in filter navigate, you will find Access Control (ACL) option in System Security. Click on it and you will be navigated to ACL list view, where you will existing ACL's and a new button to create new ACL. When we Click on New we will navigate to the form as displayed in below screenshot:
Access Control Processing and Checks (For Granting Permission)
The most important things is that what we define in ACL that will be checked before giving permission to user to access the required field or table. Access Control list rules allow access to the specified resource to the user only if all three of these checks evaluate to true:
The user has one of the roles specified in the Role list, or the list is empty.
Conditions mentioned in the Condition field evaluate to true, or there is no condition given or empty.
The script in the Script field (which comes when we click on advanced checkbox available on the form) evaluates to true, or sets the variable "answer" to true, or is empty.
All the above three checks are evaluated independently as the order displayed above.
Below is the diagram which is taken from ServiceNow Docs, which exactly tells that how the acl execute, below flow will give you the exact idea of execution or acl processing:
Types of ACL in ServiceNow:
There are various types of ACL on ServiceNow. You can find all types of acl’s in type field available in ACL form as displayed in below screenshot. But only few acl types we use or we can say widely used while doing development. Those acl types are:
- record
- client_callable_script_include
Record:
when we talk about record type than acl can be applied on Row level or Field level or in other words we can say two type of record acl's i.e., Row level acl and field level acl (column level) acl.
Row level ACL:
Row level ACL is when we use like table.none or anytablename.none . Where none says that it is not targeting specific to any field.
Field Level ACL:
In field level ACL we provide field name where we want to implement operations (create, read, write, delete). For e.g. incident.assigned_to
which says that we are applying acl on assigned_to field. Please find the below screenshot of the same.
In above image the ACL implementation is:
Write access to user on the incident table for the assigned_to field who have sn_incident_write.
Admin overrides is true, which means that admin does need the role sn_incident_write role which is mentioned in require role section to do anything.
If we say incident.* , this means it is field level acl where we want to implement operation on all the field available in the table.
client_callable_script_include:
There is only one operation in client callable script include that is execute. You can give your Script include name in Name section in which you need to apply acl. Based on the given role,condition and script it will get executed. Please find the below screenshot of the same:
Difference between table.none and table.* in ACL:
You will get this question in your interview round that what is the difference between table.none and table.* acl. very basic and simple question to the answer:
Table.none is table level acl and table.* is field level acl where * (wildcard) says that the acl will be applicable on all the fields available in the table. Row level acl (Table Level) satisfied first before the execution of field level acl. For e.g you have to provide specific role user to read permission to all the fields of the table, Then first you have to provide him row level access means same role permission to table.none and then you have to same role permission to table.* level access. If you are still looking for more clarity, I have shared the video link below where you will get complete practical understanding.
*.* represents = if selected in table section then says all table and when selected on field section then says all fields in a record
Lets take some examples to understand the above text:
Operation to Perform: Read Permission
First ACL created: incident.none (role required itil and itil_admin)
Second ACL created: incident.* (role required itil_admin)
Result: only user with itil_admin can have read access incident.* is only providing itil_admin role a read access. (This happens because both has itil_admin common)
but if:
First ACL created: incident.none (role required itil_admin)
Second ACL created: incident.* (role required itil)
Result: User with itil role only will not view any record because he only have read access at the field level and not on the record/row level.
Things to be taken care at table.* and table.field:
Let say there is already one read operation acl available for e.g. acl name: incident.assigned_to for itil role, then if incident.* read operation acl is created for role itil_admin, then the user have itil_admin role can only see or read field accept assigned_to field, as there is already acl available to whom itil role is required. I believe this example has given you the good idea.
ServiceNow Debug ACL:
To debug ACL navigate as mentioned below:
System Security -> Debugging -> Debug Security Rules -->Impersonate the user to whom you need to debug permission and navigate to the form.
You will find many little bug icons which will appear next to each ACL relevant fields. Clicking on them you get a list of all assigned ACLs and passing flag (true/false). Please find the below screenshot of the same.
To stop debug acl in ServiceNow:
Navigate as mentioned below
System Security -> Debugging -> Stop Debugging
ServiceNow ACL Interview Question:
- What is the use of ACL?
- Tell how ACL processed or execute?
- What is row level acl and field level acl?
- what is checked first row level acl or field level acl?
- Other than acl, using what we can make field read only for various users?
- What role is required to create acl?
ACL in ServiceNow (Video Demonstration)
Below link will help you to implement the acl's in ServiceNow and will help you to provide basic understand of ServiceNow ACL's with example:
ServiceNow ACL's with Example Video Demonstration
I believe all the information related to acl in ServiceNow will be helpful for you. We tried to cover all the topics related to ServiceNow acl in this article. We have also shared the practical implementation video link to provide to depth understanding on ServiceNow acl with examples. All the ServiceNow acl interview question mentioned above are answered in this article and if you still need more information on the acl's, then please feel free to comment below and also please do share you feedback. Thankyou!!
Thanks.!!
ReplyDeleteSimple but effective explanation .ACL Fundamentals understood clearly and quickly
ReplyDeleteAwesome content
ReplyDeleteVery Helpful. Thank you for sharing such great information.
ReplyDelete