Number of rows removed from this list by Security constraints

ShubhiSharm · ‎07-17-2025

We are encountering an issue with the visibility of documents in the [ds_document] table.

Issue:
A message stating "Number of rows removed from this list by Security constraints: 50" appears on the first page. However, the document that the user is authorized to view is not visible on this page and is instead located on a different page.

Ideally, the document that the user is permitted to view should appear on the first page, and the message regarding the removed rows due to security constraints should be displayed at the end.

**ACLs are working but we need to modify that :Number of rows removed from this list by Security constraints: 50: message go at the last and the documents which user can see should come first

Request:
Could you please advise on what changes or configurations are needed to ensure that the accessible document appears first, and the security message is shown subsequently?

Ankur Bawiskar · ‎07-17-2025

@ShubhiSharm

that's OOTB behavior, the record which user has access can be in 1st page or it could be in last page.

You can use query business rule if you want so that the message "Number of rows" is gone and it will bring all the records in the 1st page itself.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Weird · ‎07-17-2025

The ACL works by blocking access, but it doesn't hide the record itself which means that you can sort "see" the record in the list as hidden. It has some to do with how the ACL's work on the list view. Let's say you have 1 000 000 records. You don't want the ACL's to be checked on each (since they don't show up on the same page) so instead you have your selected amount of rows that the ACL's get matched on and the check is much faster. Otherwise you'd spend a lot longer waiting for the list to load as the ACL's would be matched on each of the million records.

Now what you can do is create a Query BR which filters out the records the user is not supposed to see. Then they won't be getting the alert and will have the whole list available for the records they can see.
Do note that this does prevent them from knowing whether they lack access to some records and potentially means that some users, who should have access, will never know that they are lacking some roles or groups that would grant them the necessary access.

View solution in original post

ShubhiSharm · ‎07-17-2025

This Query BR i have written but it is not working:

(function executeRule(current, previous) {

// Add your code here

// Get the current user's assignment groups

var userGroups = [];

var groupGr = new GlideRecord('sys_user_grmember');

groupGr.addQuery('user', gs.getUserID());

groupGr.query();

while (groupGr.next()) {

var groupID = groupGr.getValue('group');

userGroups.push(groupID);

gs.log('User is in group: ' + groupID);

gs.log("helloooo");

}

// Get documents accessible to these groups from the mtom table

var accessibleDocs = [];

if (userGroups.length > 0) {

var accessGr = new GlideRecord('ds_document_ug_can_access_mtom');

accessGr.addQuery('user_group', 'IN', userGroups.join(','));

accessGr.query();

while (accessGr.next()) {

var docID = accessGr.getValue('document'); // Confirm this field name

accessibleDocs.push(docID);

gs.log('Accessible document: ' + docID);

}

// Filter the ds_document query

if (accessibleDocs.length > 0) {

accessGr.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

accessGr.addQuery('sys_id', 'IS', 'EMPTY');

}

})(current, previous);

View solution in original post

Weird · ‎07-17-2025

If you're trying to restrict the document table (ds_document) then you need to add the query rule in there.

The script has accessGr.query(); and then after that it again has accessGr.addQuery near the bottom.
If the last to addQueries are meant for the document table then simply replace the last two with current.

if (accessibleDocs.length > 0) {

current.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

current.addQuery('sys_id', 'IS', 'EMPTY');

}

View solution in original post

Ankur Bawiskar · ‎07-17-2025

@ShubhiSharm

that's OOTB behavior, the record which user has access can be in 1st page or it could be in last page.

You can use query business rule if you want so that the message "Number of rows" is gone and it will bring all the records in the 1st page itself.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

AmaroSV · ‎07-18-2025

Thanks for your help

Weird · ‎07-17-2025

The ACL works by blocking access, but it doesn't hide the record itself which means that you can sort "see" the record in the list as hidden. It has some to do with how the ACL's work on the list view. Let's say you have 1 000 000 records. You don't want the ACL's to be checked on each (since they don't show up on the same page) so instead you have your selected amount of rows that the ACL's get matched on and the check is much faster. Otherwise you'd spend a lot longer waiting for the list to load as the ACL's would be matched on each of the million records.

Now what you can do is create a Query BR which filters out the records the user is not supposed to see. Then they won't be getting the alert and will have the whole list available for the records they can see.
Do note that this does prevent them from knowing whether they lack access to some records and potentially means that some users, who should have access, will never know that they are lacking some roles or groups that would grant them the necessary access.

ShubhiSharm · ‎07-17-2025

This Query BR i have written but it is not working:

(function executeRule(current, previous) {

// Add your code here

// Get the current user's assignment groups

var userGroups = [];

var groupGr = new GlideRecord('sys_user_grmember');

groupGr.addQuery('user', gs.getUserID());

groupGr.query();

while (groupGr.next()) {

var groupID = groupGr.getValue('group');

userGroups.push(groupID);

gs.log('User is in group: ' + groupID);

gs.log("helloooo");

}

// Get documents accessible to these groups from the mtom table

var accessibleDocs = [];

if (userGroups.length > 0) {

var accessGr = new GlideRecord('ds_document_ug_can_access_mtom');

accessGr.addQuery('user_group', 'IN', userGroups.join(','));

accessGr.query();

while (accessGr.next()) {

var docID = accessGr.getValue('document'); // Confirm this field name

accessibleDocs.push(docID);

gs.log('Accessible document: ' + docID);

}

// Filter the ds_document query

if (accessibleDocs.length > 0) {

accessGr.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

accessGr.addQuery('sys_id', 'IS', 'EMPTY');

}

})(current, previous);

Weird · ‎07-17-2025

If you're trying to restrict the document table (ds_document) then you need to add the query rule in there.

The script has accessGr.query(); and then after that it again has accessGr.addQuery near the bottom.
If the last to addQueries are meant for the document table then simply replace the last two with current.

if (accessibleDocs.length > 0) {

current.addQuery('sys_id', 'IN', accessibleDocs.join(','));

} else {

// No access, return empty result

current.addQuery('sys_id', 'IS', 'EMPTY');

}