https://express.servicenow.com/support/documentation/acl-rules-exp/
Access control list (ACL) rules control what data users can access and how they can access it.
Users must pass a set of requirements to gain access to particular data. Each ACL rule specifies the following access.
The object and operation being secured.
The permissions required to access the object.
Objects and operations
Objects consist of a type and a name that uniquely identifies a table, field, or record. The operation is the action that the system can take on the specified object. Some objects, such as records, can support multiple operations. Other objects, such as field updates, support one operation.
| Name | Object secured | Operation | Operation secured |
|---|---|---|---|
| [incident].[– None –] | The Incident table. | create | Create records in the Incident table. |
| [incident].[active] | The Active field in the Incident table. | write | Update the Active field in the Incident table. |
Record ACL rules are processed against field ACL rules first, and then against table ACL rules. A user must pass both field and table ACL rules to access a record object.
If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field in the ACL rule.
If a user fails a table ACL rule, the user is denied access to all fields in the table, even if the user previously passed a field ACL rule.