Decoding ServiceNow Security: Understanding the Difference Between Table.none and Table.* in ACLs
- nathanlee142
- Mar 21
- 4 min read
Updated: Mar 26
In ServiceNow, ensuring data security and controlling access is paramount. Access Control Lists (ACLs) are the cornerstone of this security framework, defining who can access what within the platform. However, understanding the nuances of different ACL configurations can sometimes be challenging. One common point of confusion lies in the difference between Table.none and Table.*. This article will break down these two important table-level ACL specifications and clarify their distinct roles in ServiceNow security.
The Foundation of ServiceNow Security: Access Control Lists
ServiceNow ACLs govern whether a user can perform operations like read, write, create, or delete records and fields within the system. They are evaluated based on a combination of factors, including the user's roles, the operation being attempted, and the specific record or field being accessed. Understanding how different ACL specifications work is crucial for administrators and developers to implement robust and effective security measures.
Unraveling the Mystery: Table.none vs. Table.*
When configuring table-level ACLs in ServiceNow, you'll often encounter Table.none and Table.*. While both apply to an entire table, they operate at different levels of access control:
Table.none: This is a row-level ACL. It controls whether a user can access the records (rows) of a specific table. Think of it as the gatekeeper to the entire set of data within a table. If a user does not have the necessary permissions granted by a Table.none ACL, they will not be able to see or interact with any records in that table, regardless of field-level permissions.
Table.*: This is a field-level ACL. It acts as a wildcard, applying to all fields on the specified table. It controls whether a user can access the individual data points (fields) within the records of that table. This ACL comes into play after a user has been granted row-level access through a Table.none ACL (or other means).
Key Distinction: Table.none governs access to the records themselves, while Table.* governs access to the data within those records.
How They Interact: Examples in Action
Let's illustrate the difference with some practical scenarios, focusing on read access:
Scenario 1: Read Access with Table.none
Imagine you define a READ ACL with Table.none for the Admin and ITIL roles on the Incident table.
Result: Both users with the Admin role and users with the ITIL role will be able to view all Incident records and all their fields. This is because the Table.none ACL grants them the fundamental permission to access the records (row-level access). Without any specific field-level ACLs restricting access, they can see all the data within those records.
Scenario 2: Read Access with Table.none and Table.* (Admin)
Now, let's say you have the same READ ACL with Table.none for both Admin and ITIL, and you add another READ ACL with Table.* specifically granting access to the Admin role.
Result: Both Admin and ITIL users will still be able to view all Incident records and their fields. The Table.none ACL already provides row-level access. The addition of Table.* for Admin explicitly grants read access to all fields, which they already had implicitly. It doesn't change the outcome in this scenario.
Scenario 3: Read Access with Table.none (Admin) and Table.* (ITIL)
Consider a scenario where a READ ACL with Table.none is defined for the Admin role, and a separate READ ACL with Table.* is defined for the ITIL role on the Incident table.
Result: In this case, users with the ITIL role will not be able to view any Incident records. This is because they only have field-level read access granted by the Table.* ACL. They lack the necessary row-level access, which is controlled by the Table.none ACL. The Admin role, however, will be able to view all Incident records and their fields because they possess the Table.none ACL granting row-level access.
Analogy for Better Understanding
Think of a building with many rooms.
Table.none is like having the key to enter the building itself. Without this key, you cannot access any of the rooms inside.
Table.* is like having permission to see the contents of all the rooms inside the building. However, this permission is useless if you don't have the key to get into the building in the first place.
You need both the key to the building (row-level access from Table.none) and the permission to see the contents of the rooms (field-level access, potentially granted by Table.*) to fully interact with what's inside.
Conclusion: Mastering ServiceNow ACLs for Robust Security
Understanding the distinct roles of Table.none and Table.* in ServiceNow ACLs is crucial for implementing effective security controls. Remember that Table.none governs access to the records themselves, while Table.* controls access to the fields within those records. To ensure appropriate access, you often need to configure both row-level and field-level ACLs in a way that aligns with your organization's security policies. Take the time to review and understand the ACLs configured in your ServiceNow instance to maintain a secure and well-governed platform.
