Insufficient Access for query_match and query_range on sys_user_grmember in Test Instance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello Team,
I’m facing an issue in our test instance (not in dev) when working with a custom table that extends Task.
When users try to select a value in the Assign To field (after choosing an Assignment Group), the following error appears:
Part of the query on sys_user_grmember has been ignored because of insufficient access for 'query_match' operation on sys_user_grmember.group
Part of the query on sys_user has been ignored because of insufficient access for 'query_range' operation on sys_user_grmember.user
- What I’ve Tried
- - Attempted to create ACLs for query_match and query_range on sys_user_grmember, sys_user, and sys_user_group.
- - However, when creating ACLs, the group and user fields do not appear in the field picker.
- - Compared ACLs between dev and test — dev works fine, test throws the error.
- Question
- What is the correct way to configure ACLs so that the Assign To lookup works again?
- - Should I create query ACLs on sys_user, sys_user_group, and sys_user_grmember with roles like itil or admin?
- - Is there a recommended best practice for aligning ACLs between dev and test to avoid this mismatch?
- Any guidance or examples would be greatly appreciated!
- Thanks in advance,
- Anjani kumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi my Friend,
The error indicates that the Assign To lookup is trying to query the sys_user_grmember table to filter users by Assignment Group, but in your test instance the user does not have sufficient query access to that table. Because of this, part of the filter is ignored and the lookup fails.
For query access, it’s normal that you don’t see the group or user fields in the ACL field picker. Query ACLs are created at the table level, not field level.
To restore the lookup, start by checking:
whether the affected users in test have the same roles as in dev this is the most common cause
whether there are any additional or restrictive ACLs in test on sys_user_grmember, sys_user, or sys_user_group that don’t exist in dev.
If ACLs do need to be added, the typical approach is to ensure the relevant roles for example, itil or your fulfiller role have:
table-level query access on sys_user_grmember, and
table-level read access where required.
Best practice really is to align ACLs between dev and test through normal promotion update sets/app deployment rather than creating instance-specific changes, so environments dont drift.
A quick way to pinpoint the exact issue is to impersonate a user in test and enable Debug Security Rules, then try the Assign To lookup again. The debug output will show exactly which ACL is blocking access.
@AnjaniK - If help you answer, Please mark Solution Accepted and Thumbs Up
