Best Practices for Making Fields Read‑Only in ServiceNow

In ServiceNow, making certain form fields read-only is a common requirement to preserve data integrity and enforce business rules. A read-only field is one that users can see but cannot modify. This is important in scenarios where data should remain unchanged after a particular point or only be editable by specific users. Enforcing read-only fields helps maintain consistent records and prevents unauthorized or accidental changes.

There are many situations where a read-only field is necessary. For example, once an incident is closed or resolved, you might want to lock key fields (like State, Resolution Notes, or Close Code) so they cannot be edited afterwards. In another case, fields such as Created By or Created Date might be set when a record is first created and then kept read-only to serve as an audit trail. Role-based scenarios are also common – an HR case form might have a salary field that is editable by HR personnel but read-only for others. Likewise, if data is populated via integration (say from an external system), you may mark those fields read-only to prevent manual overrides. These examples show why controlling field editability is essential in ServiceNow.

In this article, we’ll explore the best practices for making fields read-only in ServiceNow. The platform offers multiple methods to achieve this, each with its own use cases and advantages. We’ll cover three primary approaches – using Client Scripts, UI Policies, and Access Control Lists (ACLs) – and discuss when to use each. We’ll also compare these methods and share troubleshooting tips for common issues. By the end, you’ll know how to implement read-only fields in a way that is effective, secure, and maintainable.

Methods to Make Fields Read-Only

ServiceNow provides both client-side and server-side methods to make fields read-only. On the client side (within the user’s browser), you can use Client Scripts or UI Policies to dynamically adjust form fields. On the server side (the database/security layer), you can use Access Control Lists (ACLs) to enforce read-only rules. Let’s examine each method in detail.

Using Client Scripts

Client Scripts in ServiceNow are pieces of JavaScript code that run in the user’s browser as they use forms. They can execute on form load, when a field value changes, or when the form is submitted. Client scripts are useful for dynamically controlling form behavior, including making fields read-only based on certain conditions or user roles. This approach is code-based, which offers flexibility for complex logic.

When to use Client Scripts: Use a client script if you need to implement custom dynamic behavior that might be too complex for a UI policy alone. For example, if you want to loop through many fields and set them all to read-only, or if the read-only condition involves intricate logic (like checking multiple field values or user criteria), a client script can handle that. Keep in mind that client scripts run only on forms (the user interface) – they do not enforce security on the server. They are mainly for enhancing the user experience on the form.

Steps to make a field read-only with a Client Script:

1. Navigate to Client Scripts: In your ServiceNow instance, open the form/table where you want to make a field read-only. From the form header, click Configure → Client Scripts (you can also find Client Scripts under System Definition in the Application Navigator).

   
   

2. Create a new Client Script: Click the “New” button to create a new client script record. Choose the table (e.g. Incident) that the script will apply to.

   
   

3. Set script properties: Enter a descriptive name (e.g. “Read-only Priority when Closed”), and select Type as “onLoad” if you want the script to execute when the form loads. (You could also use “onChange” if making a field read-only when another field changes value, but onLoad is common for setting initial read-only state.)

   
   

4. Define the condition (optional): If the script should only run for certain conditions (like only on a specific form view or only for certain users), you can write an if statement in the script. For example, to apply only when incident state is Closed, you can check that in the script logic.

   
   

5. Write the script: In the script field, use the GlideForm API to set the field to read-only. For example:

function onLoad() { 
	if (g_form.getValue('state') == 'Closed') { 			
		g_form.setReadOnly('priority', true); 
	} 
}

This script checks the current value of the State field, and if it equals “Closed”, it uses g_form.setReadOnly('priority', true) to make the Priority field read-only. If you want the field always read-only regardless of conditions, you can simply call g_form.setReadOnly('field_name', true) without an if condition. (Note: In newer ServiceNow releases, g_form.setDisabled('field_name', true) is recommended. The older setReadOnly function works similarly, but some consider it deprecated in favor of setDisabled) You can repeat this for multiple fields or loop through a list of fields if needed.

6. Save and test: Click Save to save the client script. Now impersonate a typical user (non-admin, if applicable) and open a record that meets the condition. You should see the specified field appear greyed out and not editable. If the condition isn’t met, the field should remain editable (unless other logic makes it read-only).

   
   

Limitations of using Client Scripts: Client scripts only run on the client side, meaning they affect what the user sees in the browser but do not enforce any restrictions on the server/database level. This means a client script can be bypassed by someone with technical know-how (for instance, using browser developer tools) or through external data imports/API unless additional measures are in place. For true security, you’d need an ACL (discussed later). Another limitation is potential conflicts with UI Policies – since client scripts execute before UI policies, any field changes they make might be overridden by a UI policy that runs afterwards. For example, if a client script makes a field read-only but a UI policy later sets it to editable, the UI policy will win (because UI policies are applied last in form loading order). It’s a best practice to use client scripts sparingly for setting read-only when a UI policy can achieve the same result. Finally, remember that client scripts require scripting knowledge – if your team has admins who aren’t comfortable with code, maintaining a script might be harder than using a no-code solution.

Using UI Policies

UI Policies are a ServiceNow feature that let you dynamically control form fields without writing client-side script. A UI Policy can be configured with conditions under which it will automatically set fields to be mandatory, hidden, or read-only (or the opposite when conditions are not met). UI Policies consist of two parts: the policy (which defines when it runs) and UI Policy Actions (which define what to do, such as make a field read-only).

Benefits of UI Policies: UI Policies are often the easiest and most straightforward way to make fields read-only on forms. They require no scripting for standard uses and are easier for others to understand and maintain. Because they are declarative (you configure them in the interface), they reduce the chance of script errors. UI Policies run on the client side, just like client scripts, but they execute after all onLoad client scripts. If there’s conflicting logic, the UI Policy’s settings take precedence on the form. This predictable order of execution is one reason ServiceNow best practices advise using UI Policies instead of client scripts whenever possible for things like making fields read-only.

Steps to create a UI Policy that makes a field read-only:

1. Navigate to UI Policies: In the Application Navigator, go to System UI > UI Policies (under the appropriate application scope if needed). Click New to create a new UI Policy.

   
   

2. Name and Table: Provide a descriptive Name for the policy (e.g. “Read-only Priority when Incident Closed”). Select the Table to which this policy applies (e.g. Incident). This is the table that contains the field you want to make read-only.

   
   

3. Conditions: Define the condition under which the field should be read-only. You can use the condition builder on the UI Policy form to set conditions (for example, State is Closed). If you leave the condition blank, the policy always applies. You can also check the Global checkbox if you want the policy to run on all form views; otherwise it will apply only to the default view or a specified view.

   
   

4. UI Policy settings: Make sure the Active checkbox is selected so the policy is in effect. Also, there is a checkbox Reverse if false – if checked, this means when the condition is not met, the reverse of the actions will be applied (so a field that was made read-only will become editable again). Typically, for read-only use cases, you will want to check Reverse if false so that the field returns to normal when the condition isn’t true.

   
   

5. Save the UI Policy: Click Submit or Update to save the new policy. At this point, the policy exists but has no actions defined yet – it won’t do anything until we add UI Policy Actions.

   
   

6. Add a UI Policy Action: While viewing your UI Policy record, scroll down to the UI Policy Actions related list and click New to create an action. In the action form, select the Field Name you want to make read-only. Set the Type to Read Only. When you choose “Read Only”, you’ll typically see a checkbox for true/false – check it (set to true) to make the field read-only when the policy condition is met. (If “Reverse if false” is true on the policy, this means when condition is not met, the field will be not read-only, i.e. editable, by default.)

   
   

7. Save the UI Policy Action: Click Submit to save the action. If you have multiple fields to make read-only under the same condition, create additional UI Policy Actions for each field (repeat steps 6-7 for each field). Each action can control one field’s attributes (Read Only, Mandatory, or Visible).

   
   

8. Test the UI Policy: Open a record on the table and manipulate it to meet the condition. For instance, change the incident’s state to Closed and watch the form – the configured field(s) should instantly become read-only (greyed out). If you change the state to something else and you enabled Reverse if false, the field should become editable again. The UI Policy runs in real-time as users fill out the form.

   
   

Using UI Policies in this way is very powerful. You’ve essentially accomplished the task with no code – just configuration. If your requirement is “make field X read-only when condition Y is true,” UI Policy is usually the best approach. It’s also easy for others to see this configuration: future administrators can simply look at the UI Policy and understand the rule, rather than reading through a script. Because of its simplicity and clarity, a UI Policy with actions should be your go-to solution for read-only fields in most form scenarios.

When to prefer UI Policies over Client Scripts: In general, prefer a UI Policy if your need is to set field states (read-only, mandatory, visibility) based on simple conditions. As noted, UI Policies are easier to maintain and they execute later in the load sequence, avoiding conflicts. Client scripts should only be used for field control if you cannot achieve the requirement with UI Policy alone (for example, if the logic is very complex or needs to iterate through many fields dynamically). Otherwise, stick to UI Policies for straightforward use cases – it’s both a best practice and makes life easier for your ServiceNow team.

Limitations of UI Policies: While UI Policies are great for form behavior, remember that they are still a client-side solution. They do not provide security beyond the form. If a user has access to alter data through other means (like importing data or via scripts), a UI Policy won’t stop that. Also, UI Policies only apply to forms; if someone edits a record via the list view (list editor) or an API, the UI Policy does nothing. In those cases, combining the UI Policy with an ACL would ensure the field is truly read-only in all contexts. Another thing to note is performance: a few UI Policies are fine, but if you have many UI Policies and Client Scripts on the same form, it can slightly slow down form load as each must evaluate. It’s wise to consolidate conditions or use scripting within a UI Policy if you have dozens of fields to manage, rather than creating hundreds of separate UI Policy Actions (balance clarity with maintainability).

Using Access Control Lists (ACLs)

Access Control Lists (ACLs) in ServiceNow are rules that govern what data users can access and how they can access it. Unlike Client Scripts or UI Policies, which are about client-side form behavior, ACLs are enforced on the server side (the database level). This means ACLs are the security layer – they ultimately decide if a user can read, write, or create a record or field. To make a field read-only via ACL, you actually configure the ACL to prevent write access to that field for certain users or conditions. When a user doesn’t have write access to a field, the platform will present that field as read-only on forms (or hide it entirely, depending on configuration).

Using ACLs to restrict field editing is the most secure method because it’s enforced regardless of how the data is accessed. Even if a user tries to bypass the UI and update the field through an API or script, the ACL will block the operation if they don’t meet the conditions. ServiceNow best practices consider ACLs as a stronger security measure than client-side scripts or policies, because ACLs execute on the server and cannot be bypassed by disabling browser scripts.

Before creating or editing ACLs, you must have the security_admin role (and elevate to it, since it’s usually privileged). Keep that in mind – only admins or those with proper rights can modify ACL rules.

Steps to make a field read-only using an ACL:

1. Navigate to Access Control list: In the Application Navigator, go to System Security > Access Control (ACL). This will show the list of ACL rules. Click New to create a new ACL rule.

   
   

2. Define the ACL rule type and target: In the New Access Control form, you’ll specify what this rule is for. Set the Type to “record” (since we are controlling record access). Then specify the Operation as “write” – this indicates the rule will govern write (edit) access. You also need to identify the specific table and field: in Name, select the field name you want to restrict (e.g. incident.priority). For example, you might end up with an ACL rule for "Incident.priority write". (If you wanted to make an entire record read-only, you could target the table with no specific field and restrict write, but here we’re focusing on a single field.)

   
   

3. Conditions or script: The ACL rule needs to decide under what conditions to allow writing. By default, if an ACL’s conditions/script do not grant access, the user is denied. There are two ways to configure this: using the condition builder or writing a script. For a simple scenario where nobody (except perhaps admins) should ever edit this field, you can leave the condition empty and not assign any roles – meaning no one will pass the ACL check (except admins by override), effectively making the field read-only for all. If you want to allow some roles to edit and others read-only, you can fill in the Requires Role field with roles that are allowed to edit. Anyone without those roles will be denied write access (field stays read-only for them). Alternatively, you can write an ACL script that checks for a condition. For example:

// ACL script example 
if (current.state == 'closed' || current.state == 'Closed') { 
	// if the record is closed, deny write access 
	answer = false; 
} else { 
	answer = true; 
}

The script above (placed in the ACL’s script field) ensures that when the incident’s state is Closed, the write operation for this field is denied (so the field is effectively read- only). When the state is not Closed, it returns true, meaning the ACL doesn’t deny access (other ACLs or role requirements might still apply though). You could also incorporate user criteria in the script, like allowing write only if gs.hasRole('itil_admin') or similar. Use the scripting approach for complex logic, otherwise use the Roles and Conditions for simpler rules.

3. Test user criteria (if any): If you specified roles in the ACL, ensure those roles are correctly assigned to the users who should still edit the field. If you used a script/condition, double-check the logic covers all cases (remember ACL scripts return answer=true to grant access, and if none of the ACL rules grant access, access is denied by default).

   
   

4. Save the ACL rule: Submit the new ACL. It is now in effect. Because this is a security rule, you don’t need to refresh any forms for it to apply; the next time a user tries to load or save that field, the ACL will be evaluated.

   
   

5. Verify the behavior: Impersonate a user who should not have edit rights to that field and open a record. You should see the field in question is now read-only (it may appear with a lock icon or just greyed out). If the user tries to double-click or edit it, they won’t be able to. If they somehow send an update via API or through a form save, the server will prevent the change. Now impersonate a user who should have access (if applicable, such as someone with a specific role) and ensure that user can edit the field as intended. This testing ensures your ACL is correctly configured.

   
   

Why ACLs provide stronger security: ACLs operate at the data level on the server, so they are not dependent on the UI at all. This means integrations, import sets, and background scripts will all respect the ACL rules. If an ACL says a user cannot write to a field, that user’s attempts to change the field will be blocked, regardless of source. In contrast, a UI Policy or Client Script only affects the form; a user could still potentially change data by other means if no ACL exists to stop them. Thus, ACLs are the go-to solution for enforcing that a field truly remains read-only from a security standpoint. In many cases, you might use an ACL in combination with a UI policy: the UI policy gives immediate visual feedback (greying out the field on the form for all users), while the ACL is a safety net that ensures the rule cannot be violated through backdoor methods.

Additional notes on ACLs: Managing ACLs can get complex in large systems. Each field on each table can have its own ACL rules, and there are also table-level ACLs (like an ACL on Incident table for write that affects all fields without a specific field ACL). A user must pass all relevant ACL checks to have access – for example, to edit a field, they must pass both the field-level write ACL and the table-level write ACL. When designing a new ACL, make sure it doesn’t conflict with existing ones. It’s a good practice to document why an ACL is added (perhaps in the description field of the ACL record). Also, remember that by default the admin role in ServiceNow bypasses ACLs (this behavior can be turned off via a system property, but typically admin will have full rights). So test your ACL with non-admin roles to be sure it works. If you need even admins to be subject to the rule, you’d have to disable the admin override or use a script that explicitly denies even admins based on condition (not common, as usually admin is allowed to do anything for maintenance). Always test ACL changes in a sub-production instance first, because a misconfigured ACL can accidentally block important functionality (for example, if you deny write to a crucial field for all users, some processes might fail). Use the Security Auditor/Debug Security feature to troubleshoot ACL evaluation – it can show you which rule denied access if something isn’t working as expected.

Comparison and Best Practices

Now that we’ve covered three methods (Client Scripts, UI Policies, and ACLs) for making fields read-only, let’s compare them in terms of ease of use, security, and maintainability. Each method has its strengths, and often the best solution might involve using more than one in tandem.

• Ease of Use: UI Policies are the easiest method for most administrators. They require no coding – just point-and-click configuration – and are very understandable. Creating a UI Policy with a few actions is straightforward and quick. Client Scripts are moderately easy if you are comfortable with JavaScript; they offer more flexibility but do require writing and debugging code. For those not versed in coding, client scripts can be a hurdle. ACLs are also configuration (not code) but understanding ACL logic can be a bit more complex because it involves security concepts and the interplay of multiple rules. Among the three, UI Policies are the most user-friendly to set up, which is why “no-code” solutions like UI Policy are preferred when they meet the need.

  
  

• Security: ACLs are the clear winner for security. They enforce rules at the system level, ensuring the field is read-only in all scenarios (UI, API, import, etc.) for unauthorized users. Neither client scripts nor UI policies actually stop someone from changing data via background methods – they only affect the UI. If you have a requirement that absolutely no one without the proper role or condition should ever change a field’s value, you must use an ACL to guarantee that. UI Policies and Client Scripts are more about user experience and guidance; they can be bypassed with enough technical effort or unforeseen integration processes. It’s worth noting that in many cases you will use a combination: for example, set a UI Policy to make the field appear read-only on the form for all normal users (better UX), and also have an ACL that truly blocks updates to that field unless conditions are met (security). This way you get the benefits of both. According to ServiceNow experts, ACL rules are considered a best practice for true security, while client-side methods should be seen as a convenience.

  
  

• Maintainability: From a long-term maintenance perspective, UI Policies tend to be easier to maintain because they are visible in the platform’s UI with clear conditions and actions. Future administrators can quickly adjust the condition or add another field action without touching code. Client Scripts, on the other hand, live in code – maintaining them means understanding JavaScript and the script’s logic. If someone else inherits your ServiceNow instance, they might find it easier to tweak a UI Policy than to edit a script (especially if the original script writer is not around to explain it). ACLs are also configuration, but they require careful management; a system with too many ACLs might become hard to troubleshoot (“why can’t user X edit field Y? which ACL is blocking it?”). However, usually each ACL serves a specific purpose and they don’t need frequent changes once set up properly. One maintainability tip: use naming conventions and descriptions for UI Policies, Client Scripts, and ACLs so that their purpose is clear. For example, name your UI Policy “Read-only on Closed – Incident” rather than a generic “Incident UI Policy 1”. This helps quickly identify the rule controlling a field.

  
  

• Performance: All these methods have minimal performance impact in normal numbers, but if overused they can degrade the user experience. A single UI Policy with a couple of actions is negligible in load time. But having 50 UI Policies on one form might slow things down. Similarly, a client script with a simple check is fine, but dozens of client scripts or very heavy script logic can cause form slowness. ACL checks are server-side and are very fast (they are evaluated on each data access, but ServiceNow is optimized for that). Typically, performance is not a deciding factor unless you go to extremes; still, it’s a best practice not to duplicate logic. For example, avoid having multiple client scripts or UI policies all trying to set the same field read-only under similar conditions – consolidate where possible.

  
  

Which method to use when: Here are some recommendations based on use case:

• For simple form-based conditions (UI only): Use a UI Policy. Example: “When Category is X, make Subcategory read-only.” This is a straightforward form rule – UI Policy handles it cleanly.

  
  

• For complex form logic or bulk field handling: Use a Client Script (or a UI Policy with a script). Example: “If user is not in the IT group, make all fields read-only” – you could achieve this by scripting through all fields in a client script (using g_form.getEditableFields() in a loop to disable many fields). While you could also do multiple UI policy actions, scripting might be cleaner for a very large number of fields or complex conditions that are hard to express in the UI Policy condition builder.

  
  

• For true data security requirements: Use an ACL (often combined with a UI Policy for UX). Example: “Only users with the role project_manager can edit the Budget field on Project records; everyone else should see it but not change it.” Here, set up an ACL on Project.Budget (write operation) that allows only project_manager role. Additionally, you might create a UI Policy that has condition current role is not project_manager and action to set Budget read-only, so that even on the form it appears locked for them. This double layer ensures a smooth user experience and solid security.

  
  

• For always-read-only fields: If a field should be read-only for everyone (except maybe admins) at all times (no condition), you have a couple of choices. The simplest is to mark it read-only at the dictionary level (in the field’s dictionary definition, set the Read-Only attribute). This will make it read-only on all forms by default. However, dictionary settings can be overridden in extended tables and don’t apply conditionally. Alternatively, a UI Policy with no condition (always true) or an ACL with no role can enforce this as well. Many admins prefer the dictionary approach for truly static rules (for example, the Sys ID field of a record is always read-only by system design). For an application field, a read-only dictionary setting works, but remember dictionary applies system-wide, not just on certain conditions.

  
  

• Combining methods: It’s perfectly acceptable and common to use these methods together. Just be careful to avoid conflicting rules. For instance, don’t have a client script trying to make a field editable while a UI policy is making it read-only at the same time – that’s a conflict (the UI policy will override as mentioned). Instead, align them: maybe the client script handles some complex logic, and then calls g_form.setReadOnly as needed, while the UI policy covers a simpler subset of conditions. Or use UI policy primarily, and only use client script for things UI policy can’t do (like dynamically determining field names or looping). Always ensure your ACLs align with the client-side rules – the worst case is a UI policy shows a field as editable but an ACL will prevent saving, resulting in user confusion when they get a security error on save. To avoid this, if an ACL will block edit, also use a UI policy or client script to grey out the field so the user knows it’s not editable. Consistency between client and server rules provides a better experience.

  
  

Troubleshooting Tips: When making fields read-only, you might run into some common issues. Here are a few tips to troubleshoot them:

• Client script not working: If your client script isn’t making the field read-only as expected, check that the script is actually running. Ensure the script is set to Type: onLoad (if you intended it to run on form load) or another appropriate trigger. A common mistake is a typo in the field name – field names are case-sensitive in g_form methods. Also, if you have a condition on the client script record (the “Condition” field in the client script form), make sure it’s correct or leave it blank to always run (and handle conditions in code if needed). Use gs.log or console.log in your script for debugging (open the browser console to see if the script executes). Lastly, remember that if a UI Policy is also acting on that field, it might override your script. You may need to adjust the UI Policy or the script’s logic (or decide to use one method consistently). If the form is in a scoped application, ensure you’re using the correct API (in scoped apps, use g_form.setReadOnly as usual – it’s available).

  
  

• UI Policy not applying: If the UI Policy isn’t making the field read-only, verify the policy is active and that its conditions are actually being met on the form you’re testing. If using a specific view, ensure the UI Policy is either global or that view matches. Check the Reverse if false setting – if you left it unchecked, once the condition becomes true and the field is read-only, it might stay read-only even after the condition is false, until the form reloads. In many cases for dynamic behavior, you want Reverse if false = true so that the field will toggle back. Also, ensure you created a UI Policy Action for the correct field and set it to Read Only = true. It’s easy to accidentally set the wrong field or forget to add the action. If multiple UI Policies could affect the same field, note that their order (the Order field on the UI Policy) can determine which one applies last. Use the Debug UI Policies option (from the gear icon, if enabled) to see which policies are running and what they do.

  
  

• ACL seems to do nothing: If you made an ACL and nothing changed (users can still edit the field freely), a few things could be going on. First, are you testing with an account that has the admin role? Remember, admin bypasses ACLs by default, so test with a non-admin user to see the effect. Second, check if there are other ACLs that grant access. For a field write operation, ServiceNow might evaluate multiple ACLs (table-level and field-level). All relevant ACLs must allow access for the user to have access. Use Security Debug (in the left nav search “Debug Security Rules”) to see a breakdown when loading the form – it will show each ACL evaluated and whether it passed or failed. If your new ACL has a condition script, perhaps that script isn’t written correctly – add some gs.log statements or use the condition builder for simplicity. Also ensure you set the ACL to the exact field name and operation you intend. If you accidentally created a read ACL instead of a write ACL, you might have affected visibility instead of editability. A telltale sign of misconfigured read ACL: the field (or entire record) might disappear for the user. In our use case, we want a write ACL (so user can see the field’s value but not change it). Finally, remember to publish/activate the ACL by saving it – if it’s inactive it won’t do anything.

  
  

• Field still editable in list or other interface: If you made a field read-only via client script or UI policy on a form, but users can still edit it inline in a list or through an import, that’s expected – because client-side methods don’t apply there. The solution is to implement an ACL for complete enforcement. If an ACL is in place and users can still edit via list, double-check if the list editing might not be respecting it (which would be unusual – normally ACLs apply everywhere). Possibly the user has a role that passes the ACL. Verify the ACL is correctly targeting that field and not being overridden.

  
  

• Multiple methods conflict: If you (or someone else on your team) inadvertently applied multiple rules, you might see strange behavior. For instance, a client script sets a field read-only on load, but a UI policy immediately sets it back to editable, causing a flicker or just leaving it editable. In such cases, consolidate the logic to one place. Usually, the fix is to remove or adjust the redundant rule. Search your Client Scripts and UI Policies for that field name to see if there are any overlapping rules. Keeping a clear documentation of why a field is read-only (and through which mechanism) will help avoid confusion.

  
  

• Remember dictionary overrides: If the field in question is on an extended table (e.g., a field defined on the Task table but you’re using it on Incident which extends Task), check if there is a dictionary setting that’s making it read-only or editable unexpectedly. Dictionary settings can be overridden per table. It’s rare, but if someone set a field to read-only at the Task level, it would affect Incident unless overridden. In general, if a field is always meant to be read-only for all child tables, dictionary is an option; otherwise handle it via UI policies or ACLs at the specific table level for clarity.

  
  

By following these tips, you can usually resolve the common hiccups when making a field read-only. The key is to systematically check each layer (client scripts, UI policies, ACLs, dictionary) to see where the behavior is coming from.

Conclusion

Controlling whether a field is editable or read-only is a fundamental aspect of ServiceNow form design and security. In this article, we discussed why making fields read-only is important – from preserving the accuracy of closed records to restricting sensitive information – and we explored three main methods to implement this in ServiceNow: Client Scripts, UI Policies, and Access Control Lists.

To recap the key takeaways: For most straightforward form conditions, UI Policies are your best friend – they are easy to configure and maintain, and they cleanly handle making fields read-only (or mandatory/hidden) without any code. Client Scripts can achieve similar effects and are useful for more complex logic, but they run earlier and can be overridden by UI policies, so use them when you need that extra flexibility. For true enforcement, ACLs are critical – they ensure that even if a user tries to edit a field outside the normal UI, the system will prevent it, thereby truly making the field read-only to those who shouldn’t change it. Each method serves a purpose: UI Policies for ease and clarity, Client Scripts for advanced control, and ACLs for security.

As a best practice, try to use the method most suited to the requirement: prefer no-code solutions for UI form behavior and reserve scripting for when it’s really necessary. Always implement ACLs for scenarios involving security or compliance, as they are the only reliable way to guarantee a field cannot be edited without permission. And don’t hesitate to use a combination – for example, an ACL backed by a UI Policy gives both safety and a good user experience.

Actionable next steps: If you are a ServiceNow administrator or developer, consider reviewing your forms and identifying fields that should be read-only. Ask questions like: “Should this field ever be changed after creation?” or “Who should be allowed to edit this field?”. Based on the answers, implement the appropriate method. Start with a UI Policy for quick wins on the form. If you find that users are still able to change data in ways they shouldn’t, add an ACL to tighten the rules. Always test these changes in a sub-production environment with different user roles to ensure everything works as expected before moving to production.

By applying these best practices, you’ll make your ServiceNow applications more robust and user-friendly. Fields that need protection will stay protected, and users will have a clear interface that guides them through what can or cannot be edited. In the end, you’ll achieve both consistency in your data and confidence in your platform’s security, which is a win-win for any ServiceNow implementation. Happy building, and may your fields be correctly read-only when it counts!