Part of the query on sys_user has been ignored because of insufficient access for 'query_range'

RobDoyle
Giga Guru

Part of the query on sys_user has been ignored because of insufficient access for 'query_range' operation on sys_user_grmember.user

So we recently got our May security maintenance done and I am having an issue with the above error 

I have created a new ACL for this but it is still erroring I did raise a ticket but wasn't very helpful and the KB's don't really advise how to resolve this 

RobDoyle_0-1747150176095.pngRobDoyle_1-1747150202045.png

I am not sure what I am doing wrong I did have one related to a query match which i resolved but this query range one is stumping me 

1 ACCEPTED SOLUTION

RobDoyle
Giga Guru

RobDoyle_0-1747219362432.png

So it appears me updating these ACL's to change from public and also changing the security attribute to local seems to have fixed the error 

View solution in original post

17 REPLIES 17

SumanthDosapati
Mega Sage
Mega Sage

@RobDoyle 

> Did you try relogging in after applying the ACL?

> Also try giving a table level ACL also and see if it works.

This link also might help you.

 

Accept the solution and mark as helpful if it does, to benefit future readers.
Regards,
Sumanth

Rogers Cadenhe1
Giga Guru

ServiceNow just deployed a large number of new query_range ACLs that control user access to code that runs ranged queries (clauses like STARTS WITH, ENDS WITH and CONTAINS). You need to create a new ACL of Type record and Operation query_range for the field user on the table sys_user_grmember and then give it the roles of the users who need to perform the action that triggered the error.

 

There's a similar issue with the new query_match ACL that has the same kind of error message and same fix, except you use Operation query_match instead.

RobDoyle_1-1747209792631.png

I have already done this as screenshot in first post advises and it still doesn't allow it.

There is only a create and write ACL would I need to add a read too

You need to ensure that your users have a role that you associated with your new query_range ACL.