Number of rows removed from this list by Security constraints

ShubhiSharm · ‎07-17-2025

We are encountering an issue with the visibility of documents in the [ds_document] table.

Issue:
A message stating "Number of rows removed from this list by Security constraints: 50" appears on the first page. However, the document that the user is authorized to view is not visible on this page and is instead located on a different page.

Ideally, the document that the user is permitted to view should appear on the first page, and the message regarding the removed rows due to security constraints should be displayed at the end.

**ACLs are working but we need to modify that :Number of rows removed from this list by Security constraints: 50: message go at the last and the documents which user can see should come first

Request:
Could you please advise on what changes or configurations are needed to ensure that the accessible document appears first, and the security message is shown subsequently?

Ankur Bawiskar · ‎07-17-2025

@ShubhiSharm

that's OOTB behavior, the record which user has access can be in 1st page or it could be in last page.

You can use query business rule if you want so that the message "Number of rows" is gone and it will bring all the records in the 1st page itself.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Weird · ‎07-17-2025

The ACL works by blocking access, but it doesn't hide the record itself which means that you can sort "see" the record in the list as hidden. It has some to do with how the ACL's work on the list view. Let's say you have 1 000 000 records. You don't want the ACL's to be checked on each (since they don't show up on the same page) so instead you have your selected amount of rows that the ACL's get matched on and the check is much faster. Otherwise you'd spend a lot longer waiting for the list to load as the ACL's would be matched on each of the million records.

Now what you can do is create a Query BR which filters out the records the user is not supposed to see. Then they won't be getting the alert and will have the whole list available for the records they can see.
Do note that this does prevent them from knowing whether they lack access to some records and potentially means that some users, who should have access, will never know that they are lacking some roles or groups that would grant them the necessary access.

View solution in original post

ShubhiSharm · ‎07-17-2025

This Query BR i have written but it is not working:

(function executeRule(current, previous) {

// Add your code here

// Get the current user's assignment groups

var userGroups = [];

var groupGr = new GlideRecord('sys_user_grmember');

groupGr.addQuery('user', gs.getUserID());

groupGr.query();

while (groupGr.next()) {

var groupID = groupGr.getValue('group');

userGroups.push(groupID);

gs.log('User is in group: ' + groupID);

gs.log("helloooo");

}

// Get documents accessible to these groups from the mtom table

var accessibleDocs = [];

if (userGroups.length > 0) {

var accessGr = new GlideRecord('ds_document_ug_can_access_mtom');

accessGr.addQuery('user_group', 'IN', userGroups.join(','));

accessGr.query();

while (accessGr.next()) {

var docID = accessGr.getValue('document'); // Confirm this field name

accessibleDocs.push(docID);

gs.log('Accessible document: ' + docID);

}

// Filter the ds_document query

if (accessibleDocs.length > 0) {

accessGr.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

accessGr.addQuery('sys_id', 'IS', 'EMPTY');

}

})(current, previous);

View solution in original post

Weird · ‎07-17-2025

If you're trying to restrict the document table (ds_document) then you need to add the query rule in there.

The script has accessGr.query(); and then after that it again has accessGr.addQuery near the bottom.
If the last to addQueries are meant for the document table then simply replace the last two with current.

if (accessibleDocs.length > 0) {

current.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

current.addQuery('sys_id', 'IS', 'EMPTY');

}

View solution in original post

GlideFather · ‎07-17-2025

Hi @ShubhiSharm there are records that you are not allowed to see.

It can be ACL, or application access (different scope), or query business rule. Contact the platform owner

———
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */

Community Alums · ‎07-17-2025

Hi @ShubhiSharm ,

This is due to access is not allowed to view those records due to ACLs.

Refer this article for more details.

Regards

Anand

Chaitanya ILCR · ‎07-17-2025

Hi @ShubhiSharm ,

Make sure users have the relevant access

https://youtu.be/1x62ZwWb8Ao?si=DaBIr8onpiR4KLpa

You can use access analyzer to debug the ACLs

Regards

Chaitanya

Simon Christens · ‎07-17-2025

Hi,

The reason for this is that no Query business rule apply to filter away records that the user is not allowed to see duo to Access Controls.

For ex. if a Read Access control grants access to only documents that the given user have created (sys_created_by is me) then you need to create a Query Business rule on that table with the same validation.

Take a look at the Incident ACLs and the "incident query" business rule where the users that are end users are only able to see their own incidents.

This way the list will filter away "number of records removed..." so it only contains the records that the given user is able to see.
This is a good article that explains the Query Business rule functionality

https://www.servicenow.com/community/developer-blog/query-business-rules-a-definitive-guide/ba-p/227...