Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Understanding Table-First Access Control Evaluation in ACLs - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Understanding Table-First Access Control Evaluation in ACLs
KB0541355

Understanding Table-First Access Control Evaluation in ACLs


35386 Views Last updated : Jul 25, 2025 public Copy Permalink
KB Summary by Now Assist

Issue

Access Controls (ACLs) can be complex when securing your instance. This article clarifies how ACLs are evaluated — with table-level access (Gate 1) checked before field-level access (Gate 2) — and explains how to configure them effectively.

Symptoms

  • Users unexpectedly denied or granted access to fields despite ACLs being present.
  • Field-level ACLs seem to be ignored even when defined.
  • Admin override behavior is inconsistent or fails entirely.
  • Dot-walked fields not displaying correctly in list views.

Facts

  • ACLs must pass all three checks: roles, condition, script.
  • Table-level ACLs are required before field-level ACLs are evaluated.
  • The Admin Overrides checkbox must be consistent across ACLs for it to work properly.
  • List views do not load all columns by default; only visible fields are retrieved.

Release

  Applicable to all releases supporting ACLs; confirmed behavior as of the Yokohama release.

Cause

Misunderstanding of the ACL evaluation order leads to incorrectly configured security rules, causing unexpected access issues or overly permissive behavior.

Resolution

ServiceNow uses a two-gate ACL evaluation system:

Gate 1 – Table-Level ACLs (evaluated first):

  • ACL Name: table
  • Field: --None--
  • Type: record

Checked to determine if the user can access the record at all.

If no ACL is found, the system checks the parent table(s), then falls back to a wildcard (*) rule.

Gate 2 – Field-Level ACLs (evaluated after table access):

  • ACL Name: table.field
  • Type: record
  • Used to control access to specific fields after the user passes the table-level check.
incident_record_read.png

Field ACL evaluation order:

  1. table.field
  2. parent_table.field
  3. table.*
  4. parent_table.*
  5. *.*

Admin Overrides:
If enabled on all relevant ACLs, users with the admin role bypass ACL conditions. If any ACL in the chain lacks this setting, overrides will not apply.

List View Considerations:
Field ACLs referencing other fields (especially via dot-walk) require the referenced field to be visible in the list and placed before the evaluated field.

Related Links

  • ACL debugging tools
  • Customization Considerations for Access Controls (ACLs)
  • Access control list rules

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

Attachments

Attachments

  • incident_record_read.png
  • incident_star_read.png
  • istar_record_read.png
  • star_star_read.png
  • incident_caller_id_read.png

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.