How do I debug ACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hello,
How Do I debug ACL when it is only affecting certain group of people on assigned_to field on sc_task table?
We have ACLs configured for multiple applications on that table.
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi @Dk nov ,
1. Turn on ACL Debugging
- There’s a built‑in tool called *Debug Security Rules*. Switch it on, then try to access the task as one of the affected users.
- It will show you exactly which rule is saying “yes” or “no.”
2. Check if the field itself has special rules
- ACLs can be set on the whole table (`sc_task`) or just one field (`assigned_to`).
- Even if the table allows access, a field ACL can still block it.
3. Look at the conditions
- Some ACLs only allow access if you’re in a certain role or group.
- Others use scripts that might be excluding certain people.
- Read through the conditions and scripts to see if they match the groups who are having trouble.
4. Compare roles and groups
- Make sure the users who can’t see the field have the same roles as those who can.
- If the ACL is role‑based, missing one role is enough to block access.
5. Watch out for conflicts
- If you have ACLs from different applications, they all get checked.
- If *any one* of them says “deny,” that wins — even if others say “allow.”
6. Test by impersonating
- Use the “Impersonate User” option to log in as someone from the affected group.
- Try the same action and see what happens.
- Compare with a user who has access — that helps you spot what’s different.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi @Dk nov
Enable Debug Security Rules and check or else kindly check scripted condition
or
verify roles inherited via groups and review any scripted ACL logic or scoped application ACLs that may restrict access
Chandan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
I ran into this a few times and ACL debugging in ServiceNow can be frustrating at first. What helped me most was turning on the security debug and watching which rule actually blocks access. I also check table, field, and script ACLs separately, since it’s rarely just one thing. Once I slowed down and followed the evaluation order, the issue usually became obvious.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
Hi,
To debug ACL issues on the assigned_to field in sc_task:
Enable ACL Debugging
Go to System Security > Debugging > Debug Security Rules. This shows which ACLs are evaluated and whether they return true or false.Check Table vs Field ACLs
ACLs can apply to the whole table or just the field. A field ACL can block access even if the table ACL allows it.Review Conditions and Scripts
Look for role-based or group-based conditions, and check any scripts that might exclude certain users.Compare Roles and Groups
Make sure affected users have the same roles as those who can access the field. Missing one role can cause denial.Watch for Conflicts
Multiple ACLs apply. If any ACL denies access, that overrides all allows.Test by Impersonating
Use Impersonate User to reproduce the issue as an affected user and compare with a user who has access.
Official Resources:
