How to determine the records/tables that is restricted in the list?

Rain Vaine
Kilo Sage

‎09-02-2024 09:21 PM

Hello experts,

Do you know of any fast way to determine the records that are restricted in a table. For example in the sys_attachment table, there are a lot of reference table that shows and there are also a lot of records that are restricted.

RainVaine_0-1725337085577.png

Aside from doing debug security, are there any faster methods to determine what are those restricted records?
Additionally, if an OOB ACL for a certain table is only available for maint, is it best practice to avoid creating a custom ACL that will override the OOB ACL with maint role?
For example in this ACL, it was only applicable for users with maint role. Is it best practice to not create a custom ACL without the maint role?

RainVaine_1-1725337234835.png


Regards,
Vaine



0 Helpfuls
  • 481 Views
3 REPLIES 3

ShubhamGarg
Kilo Sage

‎09-02-2024 11:40 PM

Hello @Rain Vaine ,

 

Starting Vancouver release, you can check access privileges for a given resource using Access Analyzer . It will show where exactly it is granting or blocking access (All ACLs & Query BR info. related to given resource - record/table, etc.)

 

Path - Application Navigator -> Access Analyzer -> Analyze Permissions.

If it is not already installed, you can go to plugins and install it. It is free of cost and there are no special roles required to install it. Neither it has an impact on instance if you install it.

 

If my response helps you in any way, kindly mark it as Accepted Solution/Helpful and help in closing this thread.

Regards,

Shubham

0 Helpfuls

Rain Vaine
Kilo Sage
In response to ShubhamGarg

‎09-03-2024 06:44 PM

Hello,

I just checked on it but it seems it only gives analyzation on a certain table. It doesn't really points to the records that are hidden in via the security restrictions.

RainVaine_0-1725414275397.png

 

 


Regards,
Vaine

0 Helpfuls

ShubhamGarg
Kilo Sage
In response to Rain Vaine

‎09-04-2024 12:43 AM

Hello @Rain Vaine ,

 

This is intended behaviour for Access Analyzer. The record for which access has to be checked must be mentioned there.

 

Regarding the ACL snapshot you provided, it seems to be out of box ACL and specific to Licensing Engine application. That is why those records are only accessible to "maint" role. No action is required for those records.  This is same in all PDIs and customer instances.

 

Note - The records which are accessible by maint role users, are not visible to admins. Maint role is assigned to ServiceNow HI team user only.

 

If my response helps you in any way, kindly mark it as Accepted Solution/Helpful and help in closing this thread.

Regards,

Shubham

0 Helpfuls