Creating and Editing the Access Controls in Servicenow

Creating and Editing Access Controls

Users with the admin role can view Access Control records but cannot create, delete, or update Access Controls. All Access control operations except read require elevated security privileges. Elevated security privileges are also known as the security_admin role.
Elevate security privileges in the main ServiceNow browser window (not Studio). Open the User menu in the banner and select Elevate Roles.
Elevating privileges
In the Elevate Roles dialog, select security_admin then click the OK button.
Elevate Roles dialog
The security_admin role times out. Depending on how long you are working on Access Controls, you might have to elevate privileges several times.
Access Controls can be created for:
  • Records
  • Client callable Script Includes
  • Processors
  • REST Endpoints
  • UI Pages
This module discusses Access Controls for records.
There are four sections in Access Controls:
  • Table/field
  • Requires Role
  • Condition
  • Script
In order for permission to be granted to access a table/field, the Requires Role, Condition, and Script sections must all return true. If there is no value, the section returns true.

Table/Field

Use the Name field in the Access Control configuration to specify which records and which field are secured. In the example, the Access Control grants write access to the NeedIt table’s Requested for field.
Requested for Access Control
The example rule is a write rule:
Write: [NeedIt] [Requested for]

Requires Role

Use the Requires role list to specify the role(s) required to access records. Click the Insert a new row… line to add a role to the list. If there are multiple rows in the list, the user must have only one of the roles for Requires Role to return true.
The NeedIt User role is required
To remove a role from the list, click the red X in the role’s row. Clicking the X removes the role from the Access Control but does not delete the role from the database.

Condition

Use the Condition field to create the condition(s) required to grant access. In this example, the Requested for value must be the currently logged in user.
Requested for must be the currently logged in user
The condition is tested dynamically and the number of matching records in the database is reported. Click the link to open a list of matching records in a new tab. Click the double arrow icon to refresh the count.
Matching records

Script

Select the Advanced option to see the Script field.
Advanced Option
Access Control scripts execute server-side. For best performance, avoid Access Control scripts that use GlideRecord queries as they can adversely impact performance.
Restrict the script logic only to security-related logic. If other logic is included, such as managing date formats or validating record data, it can be difficult to debug problems in the future as you might not think to look in Access Control scripts for those actions.
Some useful methods for Access Control scripts include:
  • GlideSystem: getUser(), getUserID(), getUserName(), hasRole(), isLoggedIn(), isInteractive(), getSession()
  • GlideRecord: isNewRecord()
Access Control scripts must set the answer variable to true or false. 
if (!gs.hasRole("admin") && !gs.hasRole("user_admin") && gs.getSession().isInteractive()) {
 answer = true;
}
else{
 answer = false;
}