Having issues setting up read only access to incident with sn_incident_read role and ACL

ServNowDev
Tera Guru

My Instance does not have the sn_incident_read role or acls, we do not want to utilize the itil role. So I imported over the OOB acl for read access that is connected to the sn_incident_read role , imported the roles , gave it to a test user and still was not able to see the incident table. Am i missing something? Screenshots below. 

 

ServNowDev_0-1753362904247.pngACL

 

ServNowDev_1-1753363056584.png

Role assignment

 

access view of incident list (this table has 1000s of record btw)

ServNowDev_2-1753363125459.png

 

 

1 ACCEPTED SOLUTION

Bhimashankar H
Mega Sage

Hey @ServNowDev ,

 

When you import the out-of-box (OOB) ACL for read access to Incident (connected to the sn_incident_read role), import the roles, assign them to a user, yet still cannot see the Incident table, there are several key areas to check. Here’s what you might be missing:

 

1. Required plugins and Role Hierarchy 

  • The sn_incident_read role and its ACLs are not present by default on all instances. They arrive with the ITSM Roles — Incident Management plugin (com.snc.itsm.roles.incident_management). If your instance is missing this plugin or its dependencies, the related roles and ACLs might not function as expected.

  • You must install or activate the ITSM Roles plugin to ensure all dependencies are set up properly. Importing roles and ACLs alone may miss plugin logic or parent roles.

2. ACL Coverage: Table and Field Level.

  • The main "read" ACL for incident (table) is only part of the story. Incident fields also have individual field-level read ACLs—so even if the table shows up, fields might not render unless your user has access to each one.

  • If the test user can see the Incident table but not any fields, review and import the field-level read ACLs for Incident. Otherwise, the form/list will appear empty.

  • If your instance uses customized ACLs or business rules (especially "incident query" or data filtering), ensure nothing blocks users with sn_incident_read from being included in Incident queries.

 

Use the Security Debugger: As an admin, go to Diagnostics > Debug Security. Impersonate the test user and revisit the Incident list—at the bottom, you'll see exactly which ACL is blocking access

  • You likely need to activate the ITSM Roles—Incident Management plugin to fully enable the sn_incident_read role and ACL structure, not just import them.

  • Ensure all table and field-level ACLs have been included and linked correctly.

  • After making changes, log out and in to refresh the user's role cache; test both table and field access.

 

Thanks,
Bhimashankar H

 

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

View solution in original post

3 REPLIES 3

Swapna Abburi
Mega Sage
Mega Sage

Hi @ServNowDev 

Instead of importing read roles and acls manually from OOTB instance, you need to request your ServiceNow account manager to activate "ITSM Roles plugin (com.snc.itsm.roles)" which installs business stakeholder, read and write roles for incident, change, problem and request management modules along with corresponding ACLs.

Bhimashankar H
Mega Sage

Hey @ServNowDev ,

 

When you import the out-of-box (OOB) ACL for read access to Incident (connected to the sn_incident_read role), import the roles, assign them to a user, yet still cannot see the Incident table, there are several key areas to check. Here’s what you might be missing:

 

1. Required plugins and Role Hierarchy 

  • The sn_incident_read role and its ACLs are not present by default on all instances. They arrive with the ITSM Roles — Incident Management plugin (com.snc.itsm.roles.incident_management). If your instance is missing this plugin or its dependencies, the related roles and ACLs might not function as expected.

  • You must install or activate the ITSM Roles plugin to ensure all dependencies are set up properly. Importing roles and ACLs alone may miss plugin logic or parent roles.

2. ACL Coverage: Table and Field Level.

  • The main "read" ACL for incident (table) is only part of the story. Incident fields also have individual field-level read ACLs—so even if the table shows up, fields might not render unless your user has access to each one.

  • If the test user can see the Incident table but not any fields, review and import the field-level read ACLs for Incident. Otherwise, the form/list will appear empty.

  • If your instance uses customized ACLs or business rules (especially "incident query" or data filtering), ensure nothing blocks users with sn_incident_read from being included in Incident queries.

 

Use the Security Debugger: As an admin, go to Diagnostics > Debug Security. Impersonate the test user and revisit the Incident list—at the bottom, you'll see exactly which ACL is blocking access

  • You likely need to activate the ITSM Roles—Incident Management plugin to fully enable the sn_incident_read role and ACL structure, not just import them.

  • Ensure all table and field-level ACLs have been included and linked correctly.

  • After making changes, log out and in to refresh the user's role cache; test both table and field access.

 

Thanks,
Bhimashankar H

 

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

ServNowDev
Tera Guru

Thanks all, just taking a look at my PDI and I'm not seeing the ITSM Roles Plugin but I know its there because the roles are installed and working is there somewhere else I should look to show that they are installed com.snc.itsm.roles.incident_managementScreenshot 2025-07-27 at 5.48.26 PM.png