The getShippingAddress API checks the ACL on the user level and not on the field level - Support and Troubleshooting

The getShippingAddress API checks the ACL on the user level and not on the field level Issue The getShippingAddress API checks the ACL on the user level only, it does not check ACLs at the field level. If the user making the API call has access to the User[sys_user] record then the API fetches the entire address without checking acls on individual fields. This is because the getShippingAddress API is a cartJS API and it is intuitive that if the user level ACL is passed then all the address fields can be accessed.

Release All ServiceNow releases