How can I get users to select from a list of inactive users?

neil_b · ‎02-10-2025

I have a record producer where users may select from a list of inactive users to revoke their software license if they are no longer with the company.

The variable on the record producer (which is writing to the request table) is a reference variable looking at the sys_user table with a reference qualifier to display inactive users. I can see inactive users while accessing the record producer because I am an Admin but if I impersonate a regular user, they cannot see inactive users. I need users that are part of the IT Dept (User Group) to be able to select inactive users so they can proceed with revoking software licenses.

I saw that there was a before business rule called [user_query] that controls this, but I don't want to mess with it as it is a high priority file type, so I resorted to using an ACL thus, I created one for READ on the sys_user table. I set the script to the following:

if(gs.getUser().isMemberOf('IT Department')) {
	answer = true;
}else{
	answer = false;
}

When impersonating, I am still not able to see inactive users. Can someone help me with my ACL?

Viraj Hudlikar · ‎02-10-2025

Hello @neil_b

Even if you write ACL query br will come in picture and it will still not allow to see inactive records. You will need to modify br by having condition is login user member of group you need to see inactive records also.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards

Viraj Hudlikar.

View solution in original post

Viraj Hudlikar · ‎02-10-2025

Hello @neil_b

It's mostly due to ootb before query BR on user table BR name "user query"

I would suggest you add "user_admin" role to the group "IT Department" and try to check.

Also, in such issue try to use access analyzer feature in ServiceNow which helps you to find out what is blocking is it ACL or BR.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards
Viraj Hudlikar.

neil_b · ‎02-10-2025

Hi @Viraj Hudlikar thank you for responding so quickly. I figured it was due to the user query, but as I mentioned in my original post, I want to avoid modifying it as it is a high priority file type, and I don't want to grant the user_admin role to the IT Department group. There are actually 5 other groups I need to be able to grant access to view inactive users, so adding that heavy of a role to other groups is undesirable.

I did try the access analyzer method and this is my result. It looks like it's undefined, so it can't find the ACL rule I created.

Am I able to achieve what I'm trying to accomplish by using an ACL with a script, without having to modify the BR or granting admin roles to several groups?

Viraj Hudlikar · ‎02-10-2025

Hello @neil_b

Even if you write ACL query br will come in picture and it will still not allow to see inactive records. You will need to modify br by having condition is login user member of group you need to see inactive records also.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

Thanks & Regards

Viraj Hudlikar.

neil_b · ‎02-13-2025

Thanks @Viraj Hudlikar you were right, even with the ACL script, it's still being overridden by the user_query BR. I ended up having to just create an entirely new role, and applied it to the other user groups, and then updated the condition on the user_query to accommodate my new role and that seemed to fix it. While this isn't a preferred solution, it will work temporarily, and I will venture down other avenues to find a long-term solution. I appreciate your assistance with this, it was incredibly helpful!