Security and data governance are critical components of any enterprise platform. In ServiceNow, Access Controls determine whether a user can view or interact with data stored in tables across the platform. Access controls ensure that only authorized users can access specific records or fields, helping organizations maintain security, protect sensitive information, and enforce role-based access policies.
In this post, we’ll explore what Access Controls are, how they work, and the key components that define them.
What Are Access Controls?
An Access Control, captured in an ACL (Access Control List), determines whether a user is allowed to access data within a table.
ACLs act as security rules that evaluate whether a user has the appropriate permissions to perform certain actions on table data. These rules are evaluated whenever a user attempts to interact with records in the system.
CRUD Operations Controlled by ACLs
Access controls regulate four primary operations within ServiceNow:
These operations are often referred to as CRUD operations.
When a new table is created in ServiceNow, ACLs for these operations are automatically generated. Administrators can then configure the rules that determine which users or roles are allowed to perform each operation.
For example:
The Security Admin Role
Modifying access controls requires elevated permissions.
To create or edit ACLs, a user must have the security_admin role in ServiceNow. This role grants the authority to manage security rules that control access to platform data.
Because ACLs directly affect system security and governance, access to this role is typically restricted to experienced administrators.
The Three Components of an Access Control
Every access control rule in ServiceNow is built around three key components.
1. Operation
The operation defines the action that is being controlled.
Common operations include:
Each ACL is associated with one specific operation.
2. Object Being Secured
The object refers to the item being protected.
This is typically:
For example, an ACL might control access to:
3. Required Permissions
The final component is the permissions required for access. If multiple permissions are defined within an ACL, all conditions must evaluate to true before access is granted.
This ensures that only users who fully meet the security requirements can perform the specified operation.
Viewing the ACL Tab for a Table
If you want to quickly view the access controls associated with a table, ServiceNow provides a convenient shortcut.
Simply type the following into the navigation filter or URL:
[table_name].config
This will open the table configuration page and display the ACL tab, where you can review the access controls associated with that table.