Deny Unless ACL

 

There’s a hidden gem in the Xanadu release of ServiceNow—the deny-unless ACL. It’s easy to overlook updates to core functionalities like Access Control (ACL), but this one is worth your attention. This update will greatly simplify and streamline ACL configuration for managing specific business cases. You can enhance your system’s security and efficiency with far less effort with this new functionality.

Consider the following requirements.

  • Create a new role called “incident-VIP”.
  • Only allow users with the incident-VIP role to update incidents submitted by, or on behalf of, users that are flagged as VIP’s.

Out-of-the-box, there are four record-level write ACLs for the incident table.  Each one grants write access to some or all incidents based on different criteria.

Prior to Xanadu, the conditions of each of these ACL’s would need to be modified so that they would not apply to incidents for VIP’s.  Then, between one and four ACLs would need to be created to grant write access on VIP incidents to the incident-VIP role, depending on how much of the existing access configuration should be preserved for VIP incidents.

Let’s take a look at how that would work with one of the ACL’s.

The required updates to the existing ACL are highlighted in yellow.

And, the new ACL, limiting access to VIP incidents to the incident-VIP role, would look like this:

Repeat the above steps for the remaining three ACL’s, taking care to not alter any of the existing access to the incident table, and you will have satisfied the requirement.  Certainly doable, but not exactly simple.

In Xanadu, however, we can satisfy this requirement by adding one deny-unless ACL and leaving the four existing ACLs untouched.

Here is the ACL we would add.

Deny-Unless ACLs are evaluated first.  Other ACLs, now known as “allow-if”, are evaluated only if the user passes the deny-unless ACL’s.  In this case, that means that for VIP incidents, it will first check whether the user has the incident-VIP role.  If not, ACL evaluation stops and write access is not granted.  If the user does have the role, ACL evaluation continues and the user is granted write access if one of the allow-if ACLs evaluates true, meaning that all previous write restrictions on incidents still apply.

The addition of the deny-unless ACL may not be as glamorous as some of the other new features in Xanadu.  Nonetheless, it is a welcome addition that will streamline access control configuration.

While the above technical tip has been provided with care and consideration, it’s important to acknowledge that individual circumstances may vary. Always ensure compatibility and feasibility within your specific ServiceNow environment before implementing any suggestions. Additionally, back up your data and proceed with caution when making any changes to your instance or workflows. 

 

As with any change in ServiceNow, make sure you test any changes prior to moving to production.