ServiceNow

Access Controls: How Data Visibility and Permissions Are Managed in ServiceNow

How ACLs control who can create, read, update, and delete data


Security and data governance are critical components of any enterprise platform. In ServiceNow, Access Controls determine whether a user can view or interact with data stored in tables across the platform. Access controls ensure that only authorized users can access specific records or fields, helping organizations maintain security, protect sensitive information, and enforce role-based access policies.

In this post, we’ll explore what Access Controls are, how they work, and the key components that define them.

What Are Access Controls?

An Access Control, captured in an ACL (Access Control List), determines whether a user is allowed to access data within a table.

ACLs act as security rules that evaluate whether a user has the appropriate permissions to perform certain actions on table data. These rules are evaluated whenever a user attempts to interact with records in the system.

CRUD Operations Controlled by ACLs

Access controls regulate four primary operations within ServiceNow:

    • Create
    • Read
    • Update
    • Delete

These operations are often referred to as CRUD operations.

When a new table is created in ServiceNow, ACLs for these operations are automatically generated. Administrators can then configure the rules that determine which users or roles are allowed to perform each operation.

For example:

    • A user may have permission to read a record but not update it.
    • Certain roles may be allowed to create records but not delete them.

The Security Admin Role

Modifying access controls requires elevated permissions.

To create or edit ACLs, a user must have the security_admin role in ServiceNow. This role grants the authority to manage security rules that control access to platform data.

Because ACLs directly affect system security and governance, access to this role is typically restricted to experienced administrators.

The Three Components of an Access Control

Every access control rule in ServiceNow is built around three key components.

1. Operation

The operation defines the action that is being controlled.

Common operations include:

    • Create
    • Read
    • Update
    • Delete

Each ACL is associated with one specific operation.

2. Object Being Secured

The object refers to the item being protected.

This is typically:

    • A table (record-level security), or
    • A field within a table (column-level security)

For example, an ACL might control access to:

    • The entire Incident table
    • A specific field like salary in an employee record

3. Required Permissions

The final component is the permissions required for access. If multiple permissions are defined within an ACL, all conditions must evaluate to true before access is granted.

This ensures that only users who fully meet the security requirements can perform the specified operation.

Viewing the ACL Tab for a Table

If you want to quickly view the access controls associated with a table, ServiceNow provides a convenient shortcut.

Simply type the following into the navigation filter or URL:

[table_name].config

This will open the table configuration page and display the ACL tab, where you can review the access controls associated with that table.

Similar posts

Get notified when new resources are added

Receive an email when new resources are published.  Stay current with the Astrica team!