5.2 Access Control (ACLs) & Security
Key Takeaways
- ServiceNow security is deny-by-default: a user is granted access only when a matching ACL evaluates to true.
- ACLs evaluate from most specific to least specific: table.field rules before table.None (record) rules, then row/wildcard fallbacks.
- An ACL grants access only if ALL of these pass: the role requirement, the condition, AND the script — all three must be satisfied.
- Contextual (row-level) security is enforced through ACL conditions and scripts, not just role checks.
- The security_admin role is required to elevate privileges and modify high-security settings such as the High Security Settings plugin and other ACLs.
Why ACLs Dominate This Domain
If you only deeply learn one topic for the Database Management and Platform Security domain, make it Access Control Lists (ACLs). ACLs are the heart of ServiceNow data security, and the CSA exam reliably includes scenario questions about why a user can or cannot see or edit a field.
ServiceNow security is deny-by-default (also called secure by default). A user has no access to an object unless an ACL rule explicitly grants it and that rule evaluates to true. If no ACL matches at all for an operation, access is denied.
What an ACL Rule Contains
Each ACL rule (stored in the sys_security_acl table) specifies:
- Type —
record(table/field data),client_callable,processor,REST_Endpoint, etc. Most CSA questions concern therecordtype. - Operation —
read,write,create,delete, plus list/report operations. - Name — the object, written as
table.field. A field name of*orNonemeans the rule applies at the record (row) level; a specific field name makes it a field-level rule. - Required Roles — zero or more roles the user must hold.
- Condition — a condition builder expression that must be true.
- Script — an optional server-side script that must return/
answertrue.
ACL Evaluation Order (Memorize This)
ServiceNow evaluates ACLs from most specific to least specific. For a given operation on a given field, the platform checks rules in this order:
| Order | Scope | Example name |
|---|---|---|
| 1 | Match the specific field on the specific table | incident.short_description |
| 2 | Match the table-level (record) rule for that table (field = None/*) | incident.None |
| 3 | Match the field on a parent/wildcard table | task.short_description |
| 4 | Match the wildcard table record rule | *.None (*.* ) |
Within that order, the rule is split into the field-level check and the record-level check. To gain access to a field, the user must pass both the matching field ACL and the matching record ACL for that operation. If no field-level ACL exists for that exact field, ServiceNow falls back to the more general (parent or wildcard) ACL — it does not automatically grant access.
How a Single ACL Decides (AND Logic)
When the platform evaluates one matching ACL rule, the user is granted access through that rule only if every of the following passes:
- Roles — the user has at least one of the Required Roles (or the rule lists no role).
- Condition — the condition builder expression evaluates to true.
- Script — the ACL script (if present) sets
answer = true.
All three must be satisfied. This is AND logic within a rule. Across multiple matching rules at the same specificity level, if any one of them grants access, access is granted (OR logic across rules of equal specificity). Remember the distinction: within a rule it is AND; across same-level rules it is OR.
Roles, Conditions, and Scripts
- Role requirement is the simplest gate. Common roles include
admin(full access),itil(fulfiller),security_admin(security configuration), and application-specific roles. Theadminrole generally satisfies most ACLs but does not bypass scripted ACLs that explicitly deny access. - Conditions are declarative filters built in the condition builder (for example, Assigned to is the current user). Prefer conditions over scripts when the logic is simple — they are easier to maintain and read.
- Scripts handle logic conditions cannot express. An ACL script sets the variable
answerto true or false. Use scripts only when necessary; over-scripting ACLs hurts performance and maintainability.
Contextual / Row-Level Security
Contextual security means access depends on the data in the record and the current user, not just on a static role. For example, "a user can read an HR case only if they are the subject, the assigned agent, or a member of the HR group." This is implemented by adding conditions or scripts to record-level ACLs (for example, current.assigned_to == gs.getUserID()). Role checks alone are coarse; conditions and scripts deliver true row-level security.
High Security Settings and Security Admin Elevation
ServiceNow ships with a High Security Settings plugin and a base system default deny property (glide.sm.default_mode) so that unmatched objects are denied rather than allowed. Editing ACLs and other high-security configuration is itself protected.
To modify ACL rules or high-security settings, an administrator must elevate to the security_admin role. Even a user with the admin role does not automatically have security_admin; they hold it as an elevatable role and must explicitly elevate (via the user menu Elevate Role) for the current session. This separation prevents accidental or unauthorized changes to the security model and creates an audit trail of who changed access control.
| Setting / Concept | Purpose |
|---|---|
| High Security Settings plugin | Enforces stricter default access and the security_admin requirement |
security_admin role | Required to create or modify ACLs and high-security settings; must be elevated per session |
| Default deny property | Unmatched objects are denied access by default |
| Elevate Role | Temporarily activates an elevatable role like security_admin for the session |
Common Exam Trap
A user reports they cannot edit a field even though they have the right role. The usual cause is that a more specific field-level ACL is failing its condition or script, even though the record-level ACL passes. Always check the most specific matching ACL first, because evaluation goes from specific to general.
A user has the required role and the ACL condition is satisfied, but the ACL also contains a script that sets answer = false. Can the user access the object through this ACL rule?
ServiceNow evaluates ACL rules in which order?
An administrator with the admin role needs to modify an ACL rule but the ACL form fields are read-only. What is the most likely reason and resolution?