Access Controls

If you are looking at this article, you probably are wondering how to fix an access control (ACLs) issue. I hope to help you on this journey!

What is an Access Control (ACL)?

An instance uses access control list (ACL) rules, also called access control rules, to control what data users can access and how they can access it. ACL rules require users to pass a set of requirements in order to gain access to particular data. Each ACL rule specifies:

  • The object and operation being secured

  • The permissions required to access the object

An ACL can effect data security:

  • A field visible/not visable

  • A field is readonly/not readonly

  • A record can be deleted/not deleted

  • A user can/can’t create a record

  • Etc

How to edit ACLs

You have to elevate your role to security_admin to edit Access controls

How to elevate your role

  1. Make sure you have the security_admin role. If you don’t have it, someone else with the role will have to grant it to you.

  2. In the User Menu > Click Elevate Roles

  3. In the elevate roles dialog, select security_admin and then click the OK button

Aspects of the Access Control Form

Access Control Form

Field Description
Type ACLs can run on Client Callable Script Includes, processor, record, REST_endpoints, and ui pages.  
99% of the time you are creating "record" ACLs.  Sometimes REST_endpoints. I haven't used the other types, but might someday.
Application Application containing the ACL.  The scoped application that created this ACL
Operation The type of operation on the data.  Most common options used: create, read, write, delete, and list_edit.
Active If the ACL is active or not.  This field is helpful if you are debugging ACLs.  You can turn ACLs off until you find the one with the issue.
Admin overrides Users with the admin role can override this rule. Personally I think this should always be checked, as an admin should be able to do everything.
However there are times when you want to to protect the admin from causing unwanton destruction.
Advanced Select this check box to display the Script field on the form
Protection policy Controls how application files are protected when downloaded or installed.
Aggravates developers by making things readonly, and you have to hack the system to get around this roadblock
Name Enter the name of the object being secured, either the record name or the table and field names. The more specific the name, the more specific the ACL rule. You can use the wildcard character asterisk (*) in place of a record, table, or field name to select all objects that match a record type, all tables, or all fields. You cannot combine a wildcard character and a text search. For example, inc* is not a valid ACL rule name, but incident.* and *.number are valid ACL rule names.
Description description of the object or permissions this ACL rule secures.
Requires role Use this list to specify the roles a user must have to access the object. If you list multiple roles, a user with any one of the listed roles can access the object. The Requires role list appears as a related list.
Condition Use this condition builder to select the fields and values that must be true for users to access the object.
Script Enter a custom script describing the permissions required to access the object. The script can use the values of the current and previous global variables as well as system properties. The script must generate a true or false response in one of two ways: return an answer variable set to a value of true or false evaluate to true or false In either case, users only gain access to the object when the script evaluates to true and the user meets any conditions the ACL rule has. Both the conditions and the script must evaluate to true for a user to access the object.


Table Level ACL with None

Incident Delete ACL

  • Delete ACL on the incident table level

  • Admin Overrides is true and Requires role of itil_admin

  • If the user has the admin or itil_admin role, they get delete access to the incident table

Table Level ACL with * wildcard

Incident Read ACL

  • Read acl applies to all the fields on the incident table

  • Makes all the fields are viewable on the incident table

  • There are other acls in ServiceNow that block read access to individual ServiceNow fields

TaBLE Level ACL with Script

  • Table-level ACL for read access on the incident table

  • Admin Overrides is true

  • There is a script in the ACL that allows the opened by, caller, or users on the watchlist read access to the incident table.

  • If a user is an admin, opened by, caller or user on the watchlist on the incident, they get read access.

Example Field Level ACLs

Field Level ACL with Required Role

  • Field-level ACL for write access on the Incident table for the Caller field.

  • Admin overrides is true

  • It requires the itil or sn_incident_write role

  • If a user has the admin, itil, or sn_incident_write role, they receive write access to the Caller field

Field Level ACL with Condition

  • Field-level ACL for write access on the Incident table for the Resolution code field.

  • Admin overrides is true

  • It has a condition that incident state is not closed

  • If the incident state is not closed, they receive write access to the Resolution code field

Access Control processing

We just look at individual ACLs and how they work. However it is many individual ACLs working together to form the data security for ServiceNow. They also process within themselves in an order (Roles > Condition > Script).

Here is a good chart that shows the ACL process


If you found this article, you likely are trying to fix a readonly issue.

This is my process for debugging ACLs:

  1. Table or Field. Is this a table-level or field-level issue? Look at related ACLs for issues

  2. Parent Table. Look at parent table ACLs if applicable

  3. Active Flag. Flip the active flag to false on ACLs to find conflicting ACLs. If found, fix the ACL. Remember to flip the active back to true when completed.

  4. Add ACL. Add new ACLs as needed. Sometimes you deactivate an ACL, but that isn’t that often. Don’t delete ACLs, that causes issues later for the most part.

  5. Browser Console. View the Browser Console for errors

  6. Debug Tool. Run the Access Control Debug and other debug tools ServiceNow has.

  7. Other Code. There is other code in ServiceNow that affects security. Look in those areas as well

    • Client Script

    • UI Policy

    • Data Policy

    • Business Rules

    • Dictionary

    • Script Includes

  8. Ask for Help. Community > Consultant > HI Support. I try not to bother HI Support much on ACL issues, but sometimes you do get truly stumped

Here is a helpful table of ACL failure reasons. I highlighted the most common operations.

Operation Results of failing an ACL rule on object
execute User cannot execute scripts on a record or UI page.
create User cannot see the New UI action from forms. The user also cannot insert records into a table using API protocols such as web services.
A create ACL with a condition requiring that a field contain a specific value always evaluates as false. Fields on new records are considered empty until the record is saved.
read User cannot see the object in forms or lists. The user also cannot retrieve records using API protocols such as web services.
write User sees a read-only field in forms and lists, and the user cannot update records using API protocols such as web services.
delete User cannot see the Delete UI action from forms. The user also cannot remove records from a table using API protocols such as web services.
edit_task_relations User cannot define relationships between task tables.
edit_ci_relations User cannot define relationships between Configuration Item [cmdb_ci] tables.
save_as_template Used to control the fields that should be saved when a template is created.
add_to_list User cannot view or personalize specific columns in the list mechanic.
list_edit User cannot update records (rows) from a list.
report_on User cannot create a report on the ACL table. For more information, see Restrict report creation with an ACL rule.
report_view User cannot view the content of a report on the ACL table or on the ACL field. For more information, see Restrict report creation with an ACL rule.
personalize_choices User cannot right-click a choice list field and select Configure Choices.

Your thoughts

If made any mistakes in this article, missed something, or have your own way to debug ACLs let me know in the comments below!