ACL Write Access Works for role but not for group

Deepika Mishra · ‎06-02-2025

Hi everyone,

I'm facing an issue with a record-level ACL on the contract_rel_ci table in ServiceNow. The ACL is intended to allow write access for both users with the contract_manger role and users who are part of the Portfolio Managers group.

Here’s what I’ve tried so far:

ACL 1 (OOB)

Type: Record
Operation: Write
Name: contract_rel_ci
Role: contract_manager

ACL 2 (OOB)

Type: Record
Operation: Write
Name: contract_rel_ci.*
Role: contract_manager

ACL 3 (Scripted)

Type: Record
Operation: Write
Name: contract_rel_ci.*
Role: snc_internal (added by default)
Advanced: Checked
Script:

var answer = getAnswer();

function getAnswer() {
    var portfolioManagerGroupId = "Portfolio Managers group sys_id"; 

    var grMember = new GlideRecord('sys_user_grmember');
    grMember.addQuery('user', gs.getUserID());
    grMember.addQuery('group', portfolioManagerGroupId);
    grMember.query();
    if (grMember.next()) {
        return true;
    }

    return false;
}

Issue:
- The ACL works perfectly for users with the contract_manager role.
- However, it does not grant write access to users in the Portfolio Managers group, even though the script should return true.
- Also note that I tried combining the write ACL for contract_rel_ci.* to check both role and group in one place but it didn't work for either in that case. Hence, kept the OOB as it is.

Any help or suggestions would be greatly appreciated!

Thanks in advance!

Anirudha Bhanda · ‎06-03-2025

There might be a none write access missing for Portfolio Managers Group. That is my assumption.

View solution in original post

J Siva · ‎06-02-2025

Hi @Deepika Mishra

You must first grant table-level access to the "Portfolio Managers" group.

Your custom ACL will validate only field-level access. According to the ACL execution flow, the user must first pass the table-level ACL (contract_rel_ci.None), followed by the field-level ACL (contract_rel_ci.*).

Based on the current ACL configuration, members of the Portfolio Managers group are not passing the table-level ACL.
If you don't want to modify the OOB ACL, then create one more scripted ACL as below

ACL 4 (Scripted)

Type: Record
Operation: Write
Name: contract_rel_ci
Role: snc_internal (added by default)
Advanced: Checked
Script:

answer = gs.getUser().isMemberOf('Group Name');

Regards
Siva

SANDEEP DUTTA · ‎06-02-2025

Hi @Deepika Mishra ,

On the contract_rel_ci table , the script should be something like below:

(function() {
var userHasRole = gs.hasRole('contract_manager'); // Checks if user has the contract_manager role
var userInGroup = gs.getUser().isMemberOf('Portfolio Managers'); // Checks if user is in Portfolio Managers group

// Grant access if the user meets either condition
if (userHasRole || userInGroup) {
answer = true;
} else {
answer = false;
}
})();

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

Ankur Bawiskar · ‎06-02-2025

@Deepika Mishra

if you expect script to return true, did you add logs and see?

Have only 1 table level WRITE and table.* WRITE.

Keep same script in both

Any other ACL is blocking?

Did you use access analyzer and see?

You can reduce your script like this and add role contract_manger in roles section

answer = gs.getUser().isMemberOf('Group SysId');

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Anirudha Bhanda · ‎06-03-2025

There might be a none write access missing for Portfolio Managers Group. That is my assumption.

ACL Write Access Works for role but not for group

Issue: