The most confusing part of an Access Control List (ACL) is the field list. When you select a table from the Name field, it secures the table and all of its records. If you select any of the fields or the * in the second field, the ACL will secure that specific field in the table. As an example, if I were to select Comments from the drop down, it would restrict access to the Comments field in the Employee table. More information about the two fields can be found in the Access control rules article in the ServiceNow docs.
The two options I want to cover are the –None– and * choices. They have similar purposes but yield different results. It took me a while to gain an understanding of when and where to use them. The To * or Not to * training module helped me figure them out.
The — None — Option
The None option says there are no restrictions on the table as long as you pass the required permissions.
In the example above, employees are allowed to see all the records in the Employee table that have them as the user. After making the employee specific ACL, I would proceed to make an ACL for the managers where they can see the records of their employees (see my post about Dynamic Filter Options). I would also make an ACL for the admins where they can see every record.
The * Option
The * option says there are no restrictions on the fields inside of the table as long as the user passes the permissions.
This ACL lets the employees, managers, and admins read all the fields in a record from the Employee table.
Restricting Certain Fields
If we want to restrict a user from seeing a certain field, we need to give them access to all the fields first. We did this in the previous example. To restrict the employees from seeing the comments field, we would create a new ACL with Comments selected and have admin and manager as required roles. We do not have employee as a required role since we do not want them to have access to the comments field.
This ACL is allowing admins and managers to read the comments field in the Employee table. If we hadn’t previously made an ACL that let employees, admins, and managers read all the fields, the comments field would be the only field they would have access to see. If you only want a few fields restricted, it is important to remember to allow all the roles access to every field first, then use additional ACLs to restrict access on some fields.
Putting it all Together
After making all the ACLs, both admins and managers should be able to see all the records and all the fields in the Employee table. Employees should be able to see all the fields except for Comments in the records where they are the users.
Awesome post Aylee!