What are ACLs?
Access Control Lists (ACLs) in ServiceNow are used to control what data users can access and how they can access it. ServiceNow uses ACL rules, also called access control rules, to implement this control. ACL rules require users to pass a set of requirements in order to gain access to particular data.
Why is this an issue?
Creating ACLs without any conditions can pose a significant security risk. When an ACL lacks a defined role, condition, or script, it becomes active at all times and, essentially, public.
This means that any user, regardless of their role or permissions, can access the records controlled by this ACL. Consequently, sensitive data such as financial information, personal user details, or proprietary business data could be exposed to unauthorized individuals.
How do I fix it?
Fixing this issue will depend on the specific ACL you are working with. It will be necessary to have a condition, script, or role in the ACLs to address the problem effectively. Please note that this change requires the elevated_admin role. Follow these steps to add the condition:
In the Filter Navigator, type and enter sys_security_acl.list.
Search for the ACL that requires modification.
Populate the Condition, Script or Role field with the appropriate information based on the specific ACL and your intended purpose and Save.
Notice that when populating the Script field, it is necessary to check the Advanced box to enable script editing.