Within ServiceNow, anyone can go to any table by manipulating the URL or via the navigation menu.
I.E, if you want to go to the incident table, even if you haven’t access to the incident module, you can just:
- go directly via the url: https://sn-instance.com/incident_list.do or https://sn-instance.com/incident.do
- in the navigation menu search bar, type incident.list or incident.do
Having ACLs in place makes sure that the actions that you don’t want to happen don’t happen (create, write, read, delete). However, what if you just want to stop navigating to that URL in the first place?
You can stop users getting to the page via the navigation menu by editing the ‘NavFilterExtension’ UI Script (it has very good comments in there and easy to edit to do what you want).
I accidentally stumbled across a neater solution, again using ACLs.