There’s a hidden gem in the Xanadu release of ServiceNow—the deny-unless ACL. It’s easy to overlook updates to core functionalities like Access Control (ACL), but this one is worth your attention. This update will greatly simplify and streamline ACL configuration for managing specific business cases. You can enhance your system’s security and efficiency with far less effort with this new functionality.

Consider the following requirements.

• Create a new role called “incident-VIP”.
• Only allow users with the incident-VIP role to update incidents submitted by, or on behalf of, users that are flagged as VIP’s.

Out-of-the-box, there are four record-level write ACLs for the incident table. Each one grants write access to some or all incidents based on different criteria.

Prior to Xanadu, the conditions of each of these ACL’s would need to be modified so that they would not apply to incidents for VIP’s. Then, between one and four ACLs would need to be created to grant write access on VIP incidents to the incident-VIP role, depending on how much of the existing access configuration should be preserved for VIP incidents.

Let’s take a look at how that would work with one of the ACL’s.

The required updates to the existing ACL are highlighted in yellow.

The post Deny-Unless ACL first appeared on Pathways Consulting Group.