March 13, 2017

ServiceNow Documentation

This PDF was created from content on docs.servicenow.com. The web site is updated frequently.
For the most current ServiceNow product documentation, go to docs.servicenow.com.

March 13, 2017

 You can find the most up-to-date technical documentation on the ServiceNow web site at:
http://docs.servicenow.com
The ServiceNow site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@servicenow.com

Company Headquarters
2225 Lawson Lane
Santa Clara, CA 95054
United States
(408)501-8550

2017 ServiceNow. All rights reserved.

Terms of Use Privacy Statement

March 13, 2017 2017 ServiceNow. All rights reserved.

 ServiceNow | Create an ACL rule

Create an ACL rule

Create custom ACL rules to secure access to new objects or to change the default security
behavior.

Before you begin

Role required: security_admin

About this task

To create new ACL rules, you must elevate privileges to the security_admin role. For tables
that are in a different scope than the ACL rule record, the types of rules are limited.

Procedure

1. Elevate privileges to the security_admin role.

2. Navigate to System Security > Access Control (ACL).

3. Click New.

4. Define the object the ACL rule secures and the permissions required to access the
object.

5. Right-click the form header and select Save.

March 13, 2017 2017 ServiceNow. All rights reserved. 3

 ServiceNow | Create an ACL rule

Table 1. Access control fields

Field Description

Type Select what kind of object this ACL rule secures. The type of object determines
how the object is named and what operations are available. This field becomes
read only after the ACL rule is created (starting with the Geneva release). If you
want to change the type, you must delete the ACL and create a new one with the
correct type.
Operation Select the operation this ACL rule secures. Each object type has its own list of
operations. An ACL rule can only secure one operation. To secure multiple
operations, create a separate ACL rule for each.
Admin Select this check box to have users with the admin role automatically pass the
Overrides permissions check for this ACL rule, regardless of what script or role restrictions
would apply. However, the nobody role takes precedence over the admin override
option, so even admins cannot have access if they are assigned the nobody role.
See Base system roles.

Clear this check box if administrators must meet the permissions defined in this
ACL rule to gain access to the secured object. Since administrators always pass
role checks (see the description of the Requires role field), use the condition
builder or Script field to create a permissions check that administrators must pass.

Active Select this check box to enforce this ACL rule.

Advanced Select this check box to display the Script field.
Name Enter the name of the object being secured, either the record name or the table
and field names. The more specific the name is, the more specific the ACL rule is.

March 13, 2017 2017 ServiceNow. All rights reserved. 4

 ServiceNow | Create an ACL rule

Field Description

You can use the wildcard character asterisk (*) in place of a record name, table
name, or field name to select all objects that match a particular record type, all
tables, or all fields. You cannot combine a wildcard character and a text search.
For example, inc* is not a valid ACL rule name, but incident.* and *.number are
valid ACL rule names.
Description [Optional] Enter a description of the object or permissions this ACL rule secures.
Requires Use this list to specify the roles a user must have in order to access the object. If
role you list multiple roles, a user with any one of the listed roles can access the object.
The Requires role list appears as a related list.

Note: Users with the admin role always pass this permissions
check because the admin role automatically grants users all
other roles.

Condition Use this condition builder to select the fields and values that must be true for
users to access the object.
Script Enter a custom script describing the permissions required to access the object.
The script can use the values of the current and previous global variables as well
as system properties. The script must generate a true or false response in one of
two ways:

return an answer variable set to a value of true or false

evaluate to true or false

In either case, users only gain access to the object when the script evaluates to
true and the user meets any conditions the ACL rule has. Both the conditions and
the script must evaluate to true for a user to access the object.

Note: If the item you are evaluating the ACL for is in a related list,
current points to the item the related list is on instead of the
current item the ACL is for. However, If the item you are
evaluating the ACL for is not in a related list, current points
to the actual item.

Grant or deny access

When a user attempts to access a particular object, the system searches for ACL rules
that match the requested object's type, operation, and name.
Match ACL rules to objects

Each object type has its own matching requirements.

Evaluate ACL rule permission requirements

An ACL rule only grants a user access to an object if the user meets all of the permissions
required by the matching ACL rule.
Control whether script conditions apply to reference fields

If you want to enable script conditions for reference fields, you can add a system property.

March 13, 2017 2017 ServiceNow. All rights reserved. 5