[Music] in order to subscribe to my channel please click here or click here please share comment and like my videos and channel hello guys welcome to SAS word service now this is service now system administrator training and this is part 9 this training has been recorded in Orlando version of ServiceNow before we start the training let me show you the topics of this complete training in this ninth part of the training we will talk about a seals in ServiceNow access control lists which are also called a CL service now has different level of securities to access data into ServiceNow this accessibility of data can be controlled with the help of AC else in this section we will learn about ACLs and ServiceNow types of permissions and ServiceNow how to define access control for tables and fields and we will also try to create new a sales and service now in my personal developer instance types of permission ServiceNow provides different level of securities for a user before he takes any action in the system the first security is logon which is basically controlled on the basis of user group and roles login is also the first level of security which is mandatory to be authenticated before interacting with UI our ServiceNow next level of security we have is applications and modules once a user is logged in the next level of security is visibility of applications and modules which is on the basis of roles assigned to a user logged in user tables and rackets if a user has access to the modules he can also see the list of records for a particular table however those records will only be visible and editable if the user has required access these accesses for tables and records are based on ACL which are also called access control lists what is access control access control is a kind of security rule which is defined to restrict the permission of a user to interact with tables and rackets moreover data we have in ServiceNow it is the highest level of security which can be applied at table level a racket level which is called a row level access and then we have field level which is called column level access operations restricted there are a number of operations which can be restricted with the help of access control rules for users like crude operations which is basic operation for any database crude is basically create operation users cannot create the racket if restriction is applied if they have access they can create the racket so that's called create operation then we have read users cannot read the racket or field if restriction is applied then we have update operation in which users cannot update or edit records or feels if restriction is applied and then we have delete operation and that's how it make crude now in delete operations user cannot delete the record if restriction is applied so as I mentioned it's a basic operations of any database users can do create read update or delete with these screwed operations we also have some ServiceNow specific operations so you can apply these restrictions on your different rackets and fields and ServiceNow but you can add some actions operations specific to ServiceNow that is execute that means if restriction is applied users cannot execute a script on a racket then we have added CI relations and this users cannot add relationships in CMDB then we have save as template ServiceNow has a template functionality if you will apply this restriction then users cannot see that field to be available to create the templates so you can create templates for different fields on a particular table but if you will apply that restriction that only specific users should use that field for template then it will be applied like the same and users cannot use those fields for save as template then we have reports on users cannot create reports and then we have personalized choice users cannot right-click on the field and configure Trice's of the feed so if you will apply some restrictions related to personalized choice then they cannot right-click on the field and configure the options you have for a choice fields so these are the operations which you can apply in ServiceNow with the help of ACLs security modules ServiceNow provides three modules where you can do configurations for security permissions of the platform the first one is security module which is under system properties which has different properties to configure the security of the platform then we have high security settings which is properties to configure high level security permissions of the platform and this module is available under system security application the second module we have under system security is ACL where you will find list of different security rules on your instance tables and as I mentioned this application is available under system security application so whenever you have to create some rules for different tables for different brackets and you have to put some securities you have to put some constraints for different users and you got the requirement from your customers in that case you can create access controls access control list access control list is a list of defined rules which are called access control these rules are created at tables rackets and field level if you are a ServiceNow administrator you can create or modify these rules however you also need to elevate the access to high level security to work on the access control list rules I will show you later that how exactly you can enable the elevated access but to elevate the axis you should have security underscore admin role access control form and fields this is the access control forum which you will see while editing or creating rules in service now the important fields of access control are type of ACL here you select what type of ACL is this most developers and admins use racket type however you can also use other types like rest endpoint which is used for integrations ACL next field we have is operation in this field you select for which operation ACL is being applied read update or others which we talked about earlier then we have admin override this checkbox will always allow admins to perform the operation regardless of any condition mentioned in the ACL which means it will override the ACL so if you want admin to perform the action regardless of the condition you mentioned in the rule then you have to check this box but if you want to apply that security rule for all the users even he has admin access then you can uncheck this box in this section where you select the table and object you want to apply the ACL and this is the important part here so you have to select the table and on which on which table you want to apply this ACL and then you have to select the object now what are these objects we will talk about it later then we have description here you mention the details of ACL which you are going to create the permissions provided by ACL are based on three conditions which are mentioned in three sections required rolls condition which is mentioned here and then you have custom script so you can write the custom code if you cannot achieve it with the help of requires role or condition then we have execution plan now here if you will click this button you will see a pop-up which will show the execution plan that what kind of access you have on this particular ACL what what kind of ACL have been applied that is something you can see here ACL rule types now here I was talking about the important section where you exactly mention that which particular element which particular object has to has to be configured for rules for security so while creating an ACL you need to provide the name where you specify which objects needs to be restricted so you have three types of ACL which you can apply on one is table dot none that means you select the table and you don't select anything in the second field now this type of rule is applied on the whole table which is selected with all the rackets so if you want to apply security constraint for any particular table in that case you can create this kind of ACL then we have table dot star or asterisk now if you will select table that means like incident and in second field you select star that's another option you will see now this type of rule is applied on every field of get in the table so for example user has access to the table but if you want the user should not see all the fields that is something you can do table dot star so whatever code you will write whatever condition you will write whatever required roles you will select it will be applied accordingly for all the records of that table and lastly we have a table dot field in which rule is applied on a specific field of the table so for example user has access to the table and all the rackets but you want to apply rules on specific fields and you would know you don't want those two fields visible to maybe some kind of rules in that case you can create this kind of rule as well let's see these AC rules in details so in table dot none all the users who are qualifying the condition mentioned in the ACL can see all problem records if they don't have access or they don't match condition as per the conditions mentioned in the ACL then they can't see those rackets that means they will not have access to the table then we have table dot star in table dot star all users who are qualifying the condition mention in the ACL can see all problem records fields so they can see the problem rackets at the same time they can see all the problem racket fields and they will have all the access and then we have table dot field so in table dot field all the users who are qualifying the condition mentioned in the ACL can only see the data in the field selected in that particular access rule and if they're all have access and if they do mass the condition which is mentioned in the ACL then they will not be able to see that particular field value available in that particular field and the best part of ACL is let me tell you that it is also applied in reporting so it doesn't mean that if user is not able to see the data on the form they cannot see the data from reporting as well and that's what we say that ACL czar the highest level of security you can apply in service now how ACL works so let's say example users tried to log into service now and he will try to access the racket but before service now shows that racket data to user it processed something in the backend that means it tries to find ACL for the same object and also tries to find the matching rule so whatever object user is trying to access sister first check do I have similar kind of access rule for that object so if the answer is no so system did not find any matching rule any kind of ACL for that object then access is granted to the user that means user can access that data but if match is found that means sister found yes there is a matching rule in the system for that particular object then it will basically evaluate the ACL so whatever condition it would have in that particular ACL that will try to evaluate and then it will pass the ACL that means yes I have found it it will evaluate so if it is passing the ACL then it will grant the axis so if user is able to match the condition which is mentioning in the ACL then it will grant the access and if it is not passing the ACL that means the condition which is mentioned in the ACL is not as per the users roll maybe users group maybe or whatever condition mentioned in the system then it will not grant the access axis will not be granted that the user and user will not be able to see the data which he is trying to look for but that's how this ACL works in ServiceNow now let me take you to my personal developer instance and I will try to create some rackets and I will show you how a CL works I will show you the ACL module as well this is my personal developer instance as I mentioned earlier the first level of security in service now is login so user has to be authenticated and log into ServiceNow before he acts as the data so let me login first so I will enter username and the password and press enter now as of now I am an administrator so I can see basically all the data which I am allowed to see so let me show you the ACL module first so in Application Navigator I will type access space control if you will just type Khan you will automatically get under system security you will find this module so if you will click on this access control you will see the list of all a seals created all the rules applied and created for various tables of your instance now if I search for a incident table for example so before that I will do one thing I will check if I can select table so but I have to do it in the name so I will go here and I will mention maybe incident yep so I have this incident now all these rules which you can see here these rules are basically applied for incident management incident table and these are the ACLs for incident table and rackets and you can see we have operations like read delete create execute write we can also group them so if I click here and I can just click here group by operation you will see the different types of a seals have been created for incident management so you can see here now as of now you can see I am NOT getting this new button here but you can get it how if you remember I told you in order to do that you have to elevate your axis now in order to elevate the axis it should also have security admin role so let me see so if you click on your profile here you will see this elevate roles that means I do have that particular role to enable it so that means I have security underscore admin role so if I click here I will see this option here I have to check that box and if I click on OK you will see the difference now you can see now I'm getting this access control new button that means in order to enable this new button in order to work on access control you can see the data you can read the data but if you have to create new rules if you have to edit some existing rules in that case you have to elevate the role first and then only you can create new ACLs and edit any NEAC else you have in your instance now let me show you some security rules which automatically gets created when you create a table so I will go to tables module so I will go to tables so here I have tables I will just click on this module I will get this new button so I will new so I will create a random table maybe I will mention a CL demo press tab name will be selected I don't want to extend from any any other table I will maybe maybe I will not to create any module for now I will just uncheck this and then I will just create few fields maybe just one field for now or maybe two let's let's create two Te'o fields so one is maybe test1 and I will save this I will put it as a string type will be string and then I will put test2 and I will make it as string as well select head and now I am saving this table but before that let me show you some other options as well so I have here controls so you can see it says create access control now you can select any new role you want that is something you can do that means you can select it you can select the role here and you want to create any access control you can check this box or if you don't want then you can uncheck it so as of now you can see I will create a role here and I can add as well so you can also select different roles if you want as of now it's just giving me so maybe I can just uncheck it if I want or maybe checked but let's see the difference what exactly will happen then I have application access there just configuration just to access the data for this table so as of now I will just keep as it is and I will save it so what difference you will see you can see you will see that we have this role and I will just click on safe now once you will click on save this table will be created however you will see some extra records and as I mentioned some of the access roles will be created automatically with all those for crude of relations create read write and delete so these are the three these are the four ACLs which will be created automatically so let me open one of the ACL here so if I open this ACL this is the ACL racket that means the access control rule which automatically got created so you will see the same role here not any other condition that is something we have not applied as of now because this is automatically created by default when you create any table and when you check that box you get those ACL automatically applied with the role here now let's create another table and see if if these records are created or not but advocacy we have four four roles basically for access control rules and it has this particular rule now what exactly it means it means the user who will have this particular role can create the racket can update the racket can delete the racket that is what you can do in this table if user will not have this role then they cannot so let me create another table first so I will go to tables and I will click on new and now I will just maybe just a CL demo second this is second table we are creating press tab I don't want any module right now and I will just click on columns and I will mention here test1 and then I will give a type as string and then I will pension test2 and here I will make it as string again let's find this one and in controls I will uncheck this box and I will save it let's see what happens so as I have uncheck this box and I have saved the table you can see it has not created a seals automatically and with that rule as well no rules have been applied now in this case you have to add custom rules because it has not added any role automatically now let me show you how exactly this works so maybe I will do one thing in my another browser I will open a same instance but I will impersonate a different user or maybe I can show you in this particular in this particular session as well so let me let me do that first so in that case I will go to maybe I will create a module of this particular table so for that I will maybe create another table or maybe I will just add this particular module in any application maybe in self-service so I will click on this I will create a new module so I will go here and I will do link type list of Records here I will select the table which we have just created so I will type a CL I'm sure I will get that table a CL so we have this demo and demo second so we will create it for both the tables and I can just as of now nothing I'm not adding any kind of role to to access the module so I will just put here maybe 10,000 and title I can give or maybe demo a CL submit it so it is submitted that means that module is created let's see yep we do have let me check I think as of now it's not added but we will see I'm sure it should be there yep we have it here demo ACL I think we wanted to add it or the top but it is at the bottom but that's fine that is still okay then we have demo ACL second and then I can add here list of records and I can select ACL and I will select this table and I will go to visibility nothing and I will just click on submit now I am logged in as an administrator as you know that so I have this particular module here I don't have any records I have but access to create the rackets here I have this ACL so I can create anything I want here I can submit it and I can see the rapids now if I go at the top I have this demo ACL second if I click here here also I have create access you can see and I can create the racket so maybe I will just do like this and I can create the records here but let me impersonate with any other user so I will click on impersonate and let me impersonate with itíll user if I go here now I can't see the table the module basically which we created if I click here you can see I cannot access because there was no security rule so I cannot access this table anymore and if I go bottom and if I click here let's see the difference here as well because I don't have that role which was assigned to this particular table now how can I get access to this table so for that I have to end the impersonation and now I have to go to ACL so if I go to maybe before that before because we already have four ACLs for demo ACL table that means the ACL demo table we created we have those for ACL so let's see if I can access that data but for that what I can do I can just go to this user dot list I will access that user first so I have AI till here I have this Idol user I will add that role into this user now if you remember the role we had I think ACL yep we have this role so I will just add it so I added this role to the user now let's see if the this user can access this particular module racquets that means table racquets so I will impersonate that I will go to ITIL user I will impersonate ITIL user now let's see so if I go a little bit bottom I can see it let's see yeah you can see in it that I can see these records initially I was not able to do that but now I can see that now let's change something else so I can see both the fields the data we have in both the fields I can see that let's say one thing I want to hide this particular this particular field data from this user specifically maybe or maybe I don't want to I just want to show this data to specific users so in that case what I will do I will first end the impersonation but if you will get this requirement from your customer because you have to hide the data and you have to put some constraint for a specific fields in that case I will go to this table first how I will do that I will go to the list first go to you securities so we have the security rules as of now you know we have just those four security rules for this particular table now this is just for all that's the reason nothing is here so let me show you that so we have those four rules here so what I will do I will first elevate the rule click on ok now why we have not that elevated robucket that session-based so secession is gone there's there's a limited time and i have to enable it again so i will click on create new so I'm going to create a new access control rule for a table so in that case it will be record level and I will do read here I will add that particular table so that is a CL if I select that let's see yep we got it ACL demo and here I will select one of the field tests too so maybe I don't want to show test to field to few users so in that case what I will do I will mention that only admin people can see that field data so if I will click on save it is applied done and I can click on continue it is done let's see if it works or not so I will go to impersonate and I will go to ITIL user then and if I go a little bit bottom and if I go to demo ACL you can see now I cannot see that field anymore I can't even access that data even if I open the form let's see if I am able to see that you can see I'm not even able to see that feel any more the data on our field this is how you can apply the ACLS and it has really great powers so if you want really good security rules to be applied always rule always use a seals if you want to restrict some data into ServiceNow that's best you have some sensitive data because you might have multiple users in logged into your instances so in that case if you have a critical requirement from your customers from your clients in that case you can apply that rule so this is how you hide the data from from the four different users from for your customers and clients and that's how you apply easy else