Access Control Rules (ACLs) in ServiceNow determine who can access a record, table, or field. They are evaluated in a specific order to ensure security.
Table-Level ACLs are evaluated first
ServiceNow first checks if the user has permission to access the table itself.
If the user does not have access at the table level, no further checks are performed.
Field-Level ACLs are evaluated next
Once table access is granted, ServiceNow checks if the user has permission to access individual fields.
More specific ACLs override broader ones (e.g., incident.short_description takes priority over incident.*).
Order of Specificity (Most Specific to Least Specific)
Field-Specific ACL (incident.short_description.read)
Wildcard Field ACL (incident.*.read)
Table-Level ACL (incident.read)
Wildcard Table ACL (*.read)
ACL Evaluation Order in ServiceNow:This ensures that specific rules take precedence over general rules for enhanced security.
Example of ACL Evaluation in Incident Table:ACL Rule Type
Example ACL
Evaluation Order
Field-Specific
incident.short_description.read
First (Most Specific)
Wildcard Field
incident.*.read
Second
Table-Level
incident.read
Third
Wildcard Table
*.read
Last (Most General)
A. Field-level - most general to most specific; then Row-level - most specific to most general❌ Incorrect – Field-level ACLs are not evaluated first; table-level ACLs are checked before field-level.
B. Table-level - most specific to most general; then Row-level - most specific to most general❌ Incorrect – "Row-level" is not a correct term in ServiceNow ACL processing.
D. Field-level - most specific to most general; then Table-level - most specific to most general❌ Incorrect – Table-level ACLs are always evaluated before field-level ACLs.
Incorrect Answer Choices Analysis:
ServiceNow Docs – Access Control Evaluation Order???? How ACLs Are Processed
ServiceNow Docs – Managing ACLs in ServiceNow???? Best Practices for ACLs
Official ServiceNow Documentation References:
Conclusion:The correct answer is:✅ C. Table-level - most specific to most general; then Field-level - most specific to most general
This ensures that general table permissions are granted before checking field-level access, following a structured and secure approach to access control in ServiceNow.