Amarjeet Pal
Kilo Sage
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
3 weeks ago
1. Why External Users Can’t See Reference Values (Even If Table Read ACL Is Granted)
ServiceNow’s Access Control List (ACL) system determines access at:
- Table level
- Record level
- Field level
- Operation level (including special ops like query_range)
- UI Page level (for platform pages backing a portal widget)
Even if you configure a Table Read ACL, reference lookups in catalog items rely on additional mechanisms. The Service Portal does not simply query the table directly—it goes through an internal API, typically behind:
angular.do?sysparm_type=sp_ref_list_data
This internal API enforces its own security rules, including:
- Table READ ACL
- Field‑level READ ACL on the display field
- query_range ACL (critical for portal lookups)
- Domain separation rules (if enabled)
- Any reference qualifier logic
- Widget or UI page role restrictions
This means a table READ ACL alone will not make reference values visible to snc_external.
2. Required ACL #1 — Table READ ACL (Baseline Access)
This is the ACL most developers configure first:
- Type: record
- Operation: read
- Table: e.g., cmn_location
- Role: snc_external
- Domain: restricted to the user’s domain (if domain separation enabled)
This ensures the user can access table records when queried normally — for example, list views.
However, catalog reference variables do NOT rely solely on table READ ACLs.
3. Required ACL #2 — UI Page READ ACL (Prevents Security Constraint Redirects)
Service Portal widgets (including reference lookups) rely on multiple internal UI pages.
If snc_external lacks READ access to these UI pages, they experience:
- Security constraint errors
- Forced redirects to blocked pages
- Empty reference dropdowns
This occurs because the portal backend uses UI Pages that internally render or access metadata for:
- List views
- Ref lookup formatting
- sys_ui_page constructs
- Query builder components
Without UI Page read access, the portal fails silently and simply returns empty result sets.
4. Required ACL #3 — The Critical query_range ACL
This is the most misunderstood part, and the missing link in almost all failed implementations.
Why query_range matters
When a reference variable in Service Portal performs a lookup, it uses a special query mode called query_range, which is more restrictive than normal table queries.
If an ACL for query_range is not present, ServiceNow blocks the lookup — even if the user has table READ access.
The result: Reference variable → “No results” Platform list view → Works
This difference is by design.
How to fix it
Create:
- Type: record
- Name: cmn_location.None
- Operation: query_range
- Role: snc_external
- Condition/script: restrict to user’s domain (recommended)
Once this ACL is added, the Service Portal is allowed to return paged, partial, incremental data sets — which is exactly how reference lookups fetch data.
5. Reference Qualifiers Can Still Block Results
Even with all the ACLs configured, the reference variable may still show no results if:
- Simple qualifiers reference fields not readable by external users
- Advanced qualifiers call a Script Include that external users cannot execute
- Dynamic qualifiers reference data external users cannot read
- Domain separation places the data in a domain external users cannot access
Because reference qualifiers run as the logged‑in user, the user must have:
- READ ACL on any fields used in the qualifier
- READ ACL on any tables queried by script includes
- EXECUTE ACL on the script include (if client callable)
6. Domain Separation Adds Another Layer of Filtering
When domain separation is enabled:
- A user sees only records in their domain
- Or in domains explicitly shared to them
- Or global (but global exposure is discouraged in MSP environments)
Even if ACLs allow it, domain filtering can still result in zero visible rows.
This aligns with ServiceNow documentation on data separation and domain hierarchy behavior.
7. In Summary — The Three ACLs You MUST Have
ACL TypeWhy It's Needed1. Table READ ACLEnables basic record visibility
2. UI Page READ ACLPrevents portal security constraint failures
3. query_range ACLAllows portal reference lookups to return results
Without all three, snc_external users will always see “No results” in catalog reference variables — even if list views work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
