In today’s data-driven enterprises, information security and access control have become non-negotiable. With massive amounts of sensitive data stored and processed, organizations must implement strong measures to ensure that only the right people have access to the right information — and nothing more. For ServiceNow users, this is where Access Control Lists (ACLs) come into play.
Whether you’re a ServiceNow developer, an admin, or a security architect, understanding and properly configuring ServiceNow ACLs is essential for effective access governance.
This comprehensive guide will help you master ServiceNow ACLs, from the fundamentals to best practices, implementation tips, and advanced troubleshooting techniques.
ServiceNow ACLs
An ACL (Access Control List) in ServiceNow is a set of security rules that determine a user’s ability to access and interact with data within the platform. These rules control actions such as viewing (read), creating, updating (write), or deleting records and specific fields across tables. ACLs work by evaluating a combination of user roles, defined conditions, and optional scripts to decide whether access should be granted or denied. This layered approach ensures that only authorized users can access sensitive information, helping organizations maintain data integrity, enforce role-based access control, and comply with internal and external security standards.
Different Types of Access Controls :
In ServiceNow, Access Controls (or ACLs) come in various types, each designed to manage permissions at different levels. Understanding these types is essential for implementing secure and efficient access policies. Here are the main types of access controls in ServiceNow:
1. Record-Level Access Controls
These ACLs control access to entire records in a table. They determine whether a user can:
- Read: View the record
- Write: Edit the record
- Create: Add a new record
- Delete: Remove a record
✅ Example: Only incident managers can delete incident records.
2. Field-Level Access Controls
These control access to specific fields within a record. Even if a user can see the record, field-level ACLs may hide or lock individual fields.
✅ Example: Only HR users can view or edit the “Salary” field in an employee record.
3. Table.None Access Control
This ACL type applies to all records in a table, regardless of the field or operation. It acts as a fallback when no specific ACL is defined.
✅ Example: If no other ACLs are present, a Table.None ACL can deny all access unless explicitly allowed.
4. Wildcard ACLs
These use the wildcard * to apply an access rule to multiple operations or fields at once.
✅ Example: An ACL like incident.* can define access for all fields in the Incident table.
5. Before Query ACLs
These are advanced ACLs that run before a query is executed, filtering out records the user should not see.
✅ Example: A script that only allows users to see incidents from their own department.
How to Create an ACL in ServiceNow
Step 1: Navigate to ACLs
Go to System Security > Access Control (ACL) in the left-hand navigation pane.
Step 2: Click “New”
This opens a form to create a new Access Control Rule.
Step 3: Define Basic Details
- Type: Choose between
recordorfield - Operation: Select the action you want to control (e.g.,
read,write,create,delete) - Table: Choose the table the rule should apply to (e.g.,
incident)
Step 4: Set Conditions (Optional)
Use the Condition Builder to set logic without scripting — such as “Active is true”.
Step 5: Add Script (Optional)
For more complex scenarios, use a script that evaluates to true or false. For example:
javascriptCopyEditanswer = current.assigned_to == gs.getUserID();
Step 6: Assign Roles
Specify the required roles a user must have to pass the ACL rule.
Step 7: Save and Test
Click Submit and then impersonate a user with specific roles to test if the ACL works as expected.
Conclusion
Mastering ServiceNow ACLs is crucial for secure and scalable access control within your organization. With proper planning, scripting, and testing, ACLs can help you deliver a user experience that is both secure and seamless.
If you’re just getting started, focus on understanding how roles, conditions, and scripts interact. For advanced users, take advantage of reusable logic and debug tools.
Need Help with Your ServiceNow Security Strategy?
At MLE Systems, we specialize in secure, scalable, and efficient ServiceNow implementations. From setting up ACLs to complete governance models, our team ensures your platform is compliant, fast, and protected.