report admin is unable to share report to some groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi,
User has report_admin, report_group role and unable to add some groups to the report.
When selected on share -> Groups-> search icon only some groups are visible. It has error number of rows removed from this list by security constraints : 2
Which rule/ACL should be checked?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @PARAS_
Probable root cause: The usual cause for this issue is due to the fact that in a List type report, each row that is to be returned by the report is first compared against any read Access Control (ACL) records as defined on the source tables for that report.
Probable solution: a new ACL may need to be created (or an existing ACL record updated) that would provide the necessary read permissions to the tables and fields for the users who might need to view this information.
Note:Modifying or creating a new ACL record will require an admin account that has been temporarily elevated to security_admin and as always, particularly when editing ACLs and other security-related objects in the system, extreme caution should be preserved.
Refer the KB article: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0745026
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi , for new ACL which role should be provided?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hi @PARAS_,
What to check step by step
- Impersonate the affected user.
- Open System Security > Access Control (ACL) and check any read ACLs on:
- sys_user_group
- sys_user_group.*
- Check for any Before Query Business Rules on sys_user_group.
- Test directly:
- Ask the user to open the Group [sys_user_group] list
- search for one of the missing groups
- If they cannot see it there either, the problem is definitely table security, not report sharing.
Likely fix
Grant the user the required access to read those specific group records, instead of only adding reporting roles. In other words:
- report_admin / report_group = permission to share reports
- sys_user_group read access = permission to find/select groups in the lookup
So the root cause is most likely:
The missing groups are being filtered from the group reference lookup by ACL/query security on sys_user_group, which is why the user sees only some groups and gets the “rows removed by security constraints” message.
A quick note would be:
User has correct report roles (report_admin, report_group), but missing groups in Share > Groups lookup are being restricted by sys_user_group security (ACL / domain (if domain separation is enabled) / query filtering), not by report permissions.
Trust this helps!!
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
some Table.None READ ACL is blocking the groups
Did you check that on sys_user_group table?
Ankur
✨ Certified Technical Architect || ✨ 10x ServiceNow MVP || ✨ ServiceNow Community Leader
