[Music] please subscribe to my channel and click on the bell icon to get the regular updates of my channel and do not forget to like comment and share hello everyone welcome to sas with servicenow every platform should have a security model to make sure that different types of data available in the platform is visible to authorized users only servicenow also has its own security model for data security which is managed via acls in servicenow platform this tutorial is divided into two parts first part is this video in which you will learn what are acls in servicenow and how they get processed when a user access any object in the platform second part is another video link is mentioned in the description in which you will learn creation of different types of acls in servicenow practically with examples what is acl and what are acl rules acl is access control list which is a list of access configurations for different elements in servers now like rackets tables and fields acl rules are configurations defined in each acl to restrict access for the elements in the platform or to provide access to the users as an example security incidents created in incident table should not be visible to all it users except security teams in service now if no acl is created or found for any table or object then user will have access to the table or object in order to provide access to the right users you need to create acls service now already has some acls which restrict access to different tables and objects so there is rare possibility that no acls are available in the system for any object or table components of acl when you create an acl rule in servicenow you provide three inputs first one is object which is the element of servicenow platform like table or field on which you want to restrict access for the users or you want to provide access for the users second is operation which is type of operation you want to restrict or provide access on selected table or object for the users and the third one is permission which is required to the user to get the access for the object or table servicenow has a table to track all access controls in which you can create new acls or edit existing acls you can see out of the box module acl under system security application which shows the list of out of the box acls however you can create new acls as well as per your requirement acl form when you open a new racket of acl the form looks like this which has fields like type where you can select type of acl you want to create like racket type or ui page these are basically type of object on which you want to apply the rules next is operation which you can select to specify what operation you want to restrict or enable for the users next is admin overrides you can check this check box to override the access applied by the acl rule if you have any acl created and this check box is checked then security rule mentioned in the acl will not be applied to servicenow admins or the users who have admin role next is name in which you can select the object as table and fields on which you want to restrict or provide access to the users once you are done with these configurations then acl provides you three places where you can mention which user and how a user should have access to any particular object or table and its rackets first one is requires role in which you can select the roles you want to give access if a user will have that role then user can access same table or object else not second is conditions in which you can select the fields on the table selected to apply the condition to provide access to the users which is also mentioned in maybe in the requires roles or even role is not required but if role is not mentioned even in that case the people who can access but they should definitely meet that condition mentioned in this condition and the last one is scripting which can be enabled when you select advanced and you can write this script that is in javascript in this script field which will be populated once you check this advanced checkbox now this script should always return true to provide access to the user as per the logic mentioned in the script acl evaluation if acl is available for any object or table then it is evaluated for logged in users as i mentioned we have three places for evaluation requires roles conditions and a script field one of the important point of acl is if you have mentioned values in all these three places then all three should return true to provide access for the operation selected in the same acl let's say you have a user who wants to access rackets of a table when user tries to interact with the table via form or list then system searches for acls if acls are not found then user will be able to access stable rackets however i mentioned earlier that this will be rare situation when you don't have any acl for any object or table in service now when acls are found then it starts evaluating each acl and in each acl it will look for those three places and the first evaluation is performed for the role of user accessing the table or object if user will not have the same role mentioned in the acl then user will not be able to access table rackets if user has same role then it evaluates the condition that's another piece that's another section so it evaluates the condition mentioned in the acl configuration and if acl condition does not match then user will not be able to access the table rackets last evaluation is script in which script logic is evaluated and if script will return false as per logged in user then user will not be able to access table rackets so whatever condition you have provided maybe you have provided the condition as per the logged in user maybe you have provided any other custom custom logic as per the script in that case if it will not return true then user will not be able to access rackets and if this risk script will return true then user will be able to access all the rackets so overall in order to provide access to the user for any object or table in servicenow the evaluation of all these three places mentioned in the acl should always return true if all of them are mentioned in the acl then they should all return true else user will not be able to access the rackets object types in acl you have different types of objects on which you can apply the acls racket-based object which restrict or provide access for the rackets in a table in service now to the users ui pages which can restrict access for the ui pages or provide access you can also restrict or provide access for client callable script includes and processors as a developer you will mostly use racket type acls in servicenow in this video we will majorly learn about racket type of acls in record type acl you select type as racket while creating new acl and then you select name in which you select table on which you want to apply that acl and you also select field on which you want to apply that acl overall these table and fields are the objects on which you want to restrict or provide access to the different types of users of system in racket type acl you also select operation let's see different types of operations which are available in acl which you can select while creating new acl and the first one is execute if you will select execute as operation then user cannot execute any script on a racket or ui page next is create if you want to restrict users to create new records in a table and they should not see new button on the list view of the table then you can select create operation next is read which is selected to restrict or provide read access for the rackets and fields then you have write operation which is selected to restrict or provide access basically added access for rackets and fields of a table then you have delete operation which is selected to restrict or provide delete access for rackets and fields in a table so if you want to restrict few users to so that they cannot delete a table or delete the rackets of the table in that case you can definitely select delete operation next is edit task relations which restrict access to edit task relationships then you have edit ci relations which restrict access to edit ci relationships then you also have save as template now in service now you can create templates now if you want to restrict a table or a field to use as a template then you can use this operation you also have add to list so if you if you want users that they cannot view or personalize specific columns in the list in that case you can select this operation as well and another one is list edit which basically restrict access to edit any any list view so we have multiple rackets in a list of the table in that case if you don't want users or a few users to edit that list maybe any edit any field in that case you can definitely create this kind of acl like that overall you can select the operation and then we have report on and report view which will basically restrict access for reporting on tables in racket type acl you have two different types of acls one is table acl which is applied at table level and another one is field acl which is applied at field level now both types of acls are applied in sequence as per the availability of that particular acl even table acls and field acls are of different types so now we will see that how table and field acls are applied with example and then we will see different types of table and field acls which are also applied together in sequence but in this example we will focus on table and field acls together that how exactly they are applied and then in in further slides you will see that we will talk about how exactly different types of acls are also applied in sequence so let's say when when any particular user wants to interact with the table means he wants to access the records of any particular table now in that case system look for table and field acls which are created for those table or for that particular table which user is trying to access now if both are passing then user should be able to access rackets of that particular table and if none of the table acls are passed however field acl is passed in that case user will not be able to access the rackets of the table as table acl is must to get the access to the rackets let's say if one of the table acl is passed however one of the field acl is not passed then user will be able to access the rackets of that particular table however field on which acl is created will not be accessible to the user the user will not be able to access and depend on the kind of operation you select maybe your if you're if you have created read acl in that case if you have selected read operation in that case user will not be able to read that field the value available in that field on all the rackets of that table however user can still read all other field brackets of of different records we have in the system this is how table and field acls are evaluated in the platform table acls there are three types of table acl in servers now in which no field value is selected and it is kept as none while creating it starting with table dot none which is applied on same table which user is trying to access next is parent table dot none which is applied on parent table of same table which user is trying to access if i give you a quick example let's say incident if user is trying to access incident table now incident table is basically inherited and extended from task table so in that case system will also look for the acl available on task table as well and the last one is star dot none which is applied on all tables of the instance so these are three different table acls then we have field acls in which field is also selected with the table to provide access or restrict access on that particular field of a table and the first one is table dot field which is applied on one field of a selected table which user is trying to access next is parent table dot field which is applied on one field of parent table of main table on which access should be applied if i give you an example uh we have few fields let's say shot description on task table now short description is definitely inherited from if i talk about incident table it is available in incident as well because it is inherited from task table so whatever whatever acls if you if you don't have any acl on incident level for short description and if you have any acl on on on basically a parent table in that case that will be evaluated so that's how this sequence works and then we have star dot field which is applied on one field of all tables of system like sys created on which you can find in each table of service now and then we have table dot star which is applied on all fields of selected table which user is trying to access let's say you don't want to provide access to all the fields for specific users in that case you can create this kind of acl next is parent table dot star which is applied on all fields of parent table of main table on which access should be applied and the last one is star dot star which is all fields of all tables of system now all these different table and field acls are evaluated in order let's understand this with an example you have a table in servicenow which user wants to access and this table has a parent table as well when user tries to access the rackets of this table then before system present that data to the user it process and evaluates acls related to that table this process starts with search of acl rules available for the table and its parent table if main table does not have parent table then acls of parent table will not be available for evaluation that means only child table acls will be evaluated or maybe all table acls now in this case if acls are found then it checks for table acls first so when user tries to interact with any table and access the records so before data is presented it always looks for the acl and if acls are found it checks first whether table acls are available or not overall we have three different acls three different table acls table acl parent table acl and all table acls now table acls are evaluated first if they are available then parent acl and then all table acls that's a sequence of evaluation so if table acl is available then it will be evaluated first if parent table is available then it will be evaluated then if let's say table acl is also not available then it will evaluate parent table that's how this whole basically evaluation works as in sequence now if system finds table acl and evaluates to true however other two acls don't basically evaluates to true that means they're not passing the permission for the logged in user in that case user will be able to access the rackets as child table acl will always mask the acl soft parent table so whatever acls you have written you have created for parent table if child table is basically giving the permission to log the user then user can access the rackets of that particular table now if child table is not available and parent acl and all table acls are available in that case system will evaluates them because child table acl is not available now if parent table acl evaluates to true and all table acl which is star basically it evaluates to false then user will still have access to the rackets of the table because in this case parent table acl will definitely mask all table acl and if all table acl is found and it evaluates to true so let's say we don't have child table acl we don't have parent table acl in that case if all table acl is found and evaluates to true then user will have access to the table rackets now if child table acl is available and it does not pass the permission and parent table acl passes the permission so overall we have three acl so table acl that is the child table acl is not passing the permission for the user but parent table is passing the permission and all table acls is also not passing the permission in that case user will not be able to access the rackets the reason behind it because child table is not allowing it so user doesn't have that permission so in that case even if parent table is giving the permission parent table acl in that case stable if table acl is not giving the permission then user will not be able to access the rackets of that particular table that means the child table now as of now data is still not presented to the user because it is still basically processing the whole evaluation in the back end now once table evaluations are done then system will look for field level acls and it will evaluate field acls and that is also in sequence now this starts with acl of fields of child table that is table dot field if single field acl is available then it is evaluated first then system evaluates acl of parent table and then any table acls and you can see the sequence as well if single field acl is not available then it look for all field acls for main table parent table and all tables as well if system will pass any single field acls then user will be able to access rackets all rackets including that field as well because system is passing the acl now if single field acl is not passed then user will be able to access the rackets however user will not be able to access that one field which is selected in the acl and if single field acls are not found then it will look for all field acls and if they are also evaluates to false then user will not have access to all rackets of the table if it is passed so let's say all these acls are passed or maybe your system fi may be found one of the acl in that case user will be able to access all rackets of the table with all fields now if there are two similar types of acls created then user will be able to access rackets if at least one acl will be returning true so let's say you have any particular table in that case if you are creating two similar type of acl and both are let's say read now if the logged in user may be asked for the evaluation if user is basically passing at least one acl in that case your user will be able to access the rackets of that particular table depending on the type basically other types of acls as well like field level acls or other other acls as well in next video you will learn about creating different types of acls practically in my personal developer instance please provide your comments for any question or feedback and if you think i'm able to change your learning experience in servicenow platform then do not forget to like and share the video and subscribe to my channel thanks for watching