Question 264 of 510
Application Rules, ACL and NotificationshardMultiple ChoiceObjective-mapped

Quick Answer

The correct approach is to create a new record-level ACL with a condition script for the 'u_asset_tracking' table. This solution works because record-level ACLs with condition scripts enforce row-level security by evaluating a script against each record; the condition `current.u_assigned_to == gs.getUserID() || current.u_department == gs.getUser().getDepartment()` ensures users only see records where they are the assigned user or share the same department, while setting the order to 0 makes this ACL evaluate before the default table ACL, effectively overriding it. On the ServiceNow CSA exam, this scenario tests your understanding of ACL evaluation order and the distinction between table-level and record-level ACLs—a common trap is forgetting to uncheck "Requires role" or using a table-level ACL instead. Remember the memory tip: "Record ACLs with conditions are row-level gates; order zero makes them first, no role means the script alone grants access."

SNOW-CSA Application Rules, ACL and Notifications Practice Question

This SNOW-CSA practice question tests your understanding of application rules, acl and notifications. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are a ServiceNow administrator for a large enterprise. The company has a custom application that uses a table 'u_asset_tracking' to track IT assets. The table has a before insert business rule that sets the 'u_assigned_to' field to the current user if the field is empty. Recently, the security team reported that some users are able to view asset records that they should not see. After investigation, you find that the 'u_asset_tracking' table has no ACLs defined, and the default table ACL allows read access to all authenticated users. The business rule is working correctly. You need to restrict read access so that users can only see records where 'u_assigned_to' is themselves or where they are in the same 'u_department' as the record's 'u_department'. You must ensure that the solution does not affect other tables. Which approach should you take?

Question 1hardmultiple choice
Study the full ACL explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a new ACL for the 'u_asset_tracking' table with type 'record', operation 'read', condition script 'current.u_assigned_to == gs.getUserID() || current.u_department == gs.getUser().getDepartment()', and set order to 0. Ensure 'Requires role' is unchecked.

Option B is correct because it creates a record-level ACL with a condition script that enforces row-level security: users can only read records where they are the assigned user or share the same department. The order of 0 ensures this ACL is evaluated before the default table ACL, and leaving 'Requires role' unchecked allows the condition to grant access without requiring a specific role, thus restricting read access based solely on the condition.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Modify the default table ACL for the 'u_asset_tracking' table to require the 'asset_user' role.

    Why it's wrong here

    This would require role assignment for all users and does not use the condition.

  • Create a new ACL for the 'u_asset_tracking' table with type 'record', operation 'read', condition script 'current.u_assigned_to == gs.getUserID() || current.u_department == gs.getUser().getDepartment()', and set order to 0. Ensure 'Requires role' is unchecked.

    Why this is correct

    This ACL grants read access only to matching records and, with order 0, takes precedence over the default ACL.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Add a business rule to restrict read access by deleting records from the glide record set.

    Why it's wrong here

    Business rules cannot restrict read access; ACLs are used for that.

  • Create a new ACL for the 'u_asset_tracking' table with type 'record', operation 'read', condition script 'current.u_assigned_to == gs.getUserID()', and require the 'asset_user' role.

    Why it's wrong here

    This does not include department condition and requires a role not all users may have.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think modifying the default table ACL or adding a role requirement is sufficient, but they miss that record-level ACLs with condition scripts are the correct way to implement row-level security without affecting other tables.

Detailed technical explanation

How to think about this question

Record-level ACLs in ServiceNow are evaluated in order of their 'order' field; a lower order number means higher priority. The condition script runs in the context of the current record (current) and the user session (gs.getUser()), and if it returns true, access is granted without further role checks. The default table ACL (order 100) allows all authenticated users, so a record ACL with order 0 overrides it for matching conditions, effectively creating row-level security.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SNOW-CSA practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SNOW-CSA practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SNOW-CSA question test?

Application Rules, ACL and Notifications — This question tests Application Rules, ACL and Notifications — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create a new ACL for the 'u_asset_tracking' table with type 'record', operation 'read', condition script 'current.u_assigned_to == gs.getUserID() || current.u_department == gs.getUser().getDepartment()', and set order to 0. Ensure 'Requires role' is unchecked. — Option B is correct because it creates a record-level ACL with a condition script that enforces row-level security: users can only read records where they are the assigned user or share the same department. The order of 0 ensures this ACL is evaluated before the default table ACL, and leaving 'Requires role' unchecked allows the condition to grant access without requiring a specific role, thus restricting read access based solely on the condition.

What should I do if I get this SNOW-CSA question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SNOW-CSA

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company wants to block all update operations on the 'problem' table for users with only the 'itil' role, except for the user who created the record. Which ACL configuration should be used?

hard
  • A.Create an ACL with type 'record', operation 'write', role 'itil', condition script 'current.assignment_group == gs.getUser().getMyGroups()', and set 'Requires role' true.
  • B.Create an ACL with type 'record', operation 'write', role 'itil', condition script empty, and uncheck 'Requires role'.
  • C.Create an ACL with type 'record', operation 'write', role 'itil', condition script 'current.created_by != gs.getUserID()', and set 'Requires role' true.
  • D.Create an ACL with type 'record', operation 'write', role 'itil', condition script 'current.created_by == gs.getUserID()', and set 'Requires role' true.

Why C: Option C is correct because it uses a condition script that denies write access to users with the 'itil' role when the current record's creator is not the logged-in user. The ACL type 'record' with operation 'write' and 'Requires role' checked ensures that only users with the 'itil' role are evaluated, and the condition script 'current.created_by != gs.getUserID()' returns true for users who did not create the record, thus blocking their update operations. This matches the requirement to block all updates except for the record creator.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SNOW-CSA practice question is part of Courseiva's free ServiceNow certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SNOW-CSA exam.