Assessing App Engine User Licenses Based on CRUD Rights Against Custom TablesIn this article, we will outline the process of assessing and categorizing App Engine user licenses—requester, business stakeholder, and fulfiller—based on their CRUD (Create, Read, Update, Delete) rights against records stored in custom tables. This categorization applies to custom tables, both mapped to App Engine and those unmapped to any subscription, in the Custom Table Inventory on PROD instances. App Engine License Categories and Definitions Requester License: Typically for users who create and manage their own records.Limited to interacting primarily with their own data. Business Stakeholder License: Designed for users who need broad read access to data across the system for approval actions only.Suitable for users who require visibility into various records without altering them to complete approvals. Fulfiller License: Intended for users who actively manage and fulfill tasks across the system.Includes extensive write permissions on any records. Assessment Logic Based on Table Types 1 For task-extended tables, the categorization is determined as follows: Requester License: - Rights: "read/write own" - These users can only read and write the records they own, making them suitable for the requester license. Business Stakeholder License: - Rights: "read all" or "approve all" - Users with read access to all records in these tables qualify as business stakeholders, allowing them to view all data without making changes. Fulfiller License (FF): - Rights: "write any" - Users who have write access to all records are classified as fulfillers, as they need the ability to modify any record in the table. 2 For non-task-extended tables (e.g., tables used for lookup only), the categorization is determined as follows. Note that business stakeholder roles are not common for this use case: Requester License: - Rights: "read/write own" or "read all" - Users with the ability to read and write their own records or read all records fall under the requester license. This reflects the typical needs of requesters who might need to access a wider range of data but not modify it such as looking up a reference value from a lookup table. Fulfiller License (FF): - Rights: "write any" - Users with write permissions on all records are categorized as fulfillers, as they are responsible for managing and updating the records comprehensively. Conclusion Understanding and correctly categorizing user licenses based on CRUD rights against custom tables is crucial for managing permissions and ensuring that users have the appropriate level of access for their roles. By following the outlined logic, you can effectively determine whether a user qualifies for a requester, business stakeholder, or fulfiller license, thus maintaining a secure, efficient, and compliant system. Additional resouces In ServiceNow, the CRUD rights are defined in ACL. It is important that ACLs are implemented in ways that reflect the intended roles of the users. For best practices, please review: ACLs for requesters to update their own records (Forum post)Best practice guidance on securing your data including using ACLs (webcast)