Role of an ACL is not capturing in update set
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Role of an ACL is not capturing in update set. It got wrongly capturing when it moved to test instance.
How to capture it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
https://www.servicenow.com/community/itsm-forum/does-acl-gets-captured-in-update-set/td-p/534883
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
Ah yes — this is a classic ServiceNow ACL + Update Set trap
You’re not alone, and the fix is very specific.
Why this happens (important to understand)
ACLs are split across multiple tables:
- sys_security_acl
→ the ACL record itself - sys_security_acl_role
→ the roles attached to the ACL - sys_security_acl_condition / script (if used)
Only the ACL record was captured in your Update Set
The role mapping record was not, so in TEST the ACL exists but has no roles (or wrong roles)
That’s why it behaves incorrectly after promotion.
Correct Way to Capture ACL Roles
Step 1: Identify the missing role record
In DEV:
- Go to the ACL record
- Right-click → Configure → ACL Roles
- Note the role(s) attached
Step 2: Manually capture the ACL Role mapping
- Navigate to:
- sys_security_acl_role.list
- Filter:
- ACL = your ACL name
- You’ll see records like:
- ACL = cmdb_ci_service.read
- Role = snc_internal (example)
Step 3: Add them to the Update Set
For each record:
- Open the record
- Right-click header → Add to Update Set
- Confirm it’s added
This is the step most people miss
Step 4: Verify Update Set completeness
Your update set must contain:
- sys_security_acl
- sys_security_acl_role
- sys_security_acl_condition (if used)
AFTER moving to TEST
Step 5: Validate in TEST
- Open the ACL
- Go to Roles related list
- Ensure roles are present
- Impersonate a user → test access
Best Practice Going Forward
Always use this method when creating ACLs:
- Create ACL
- Save
- Add roles
- Save again
- Verify Update Set captured both tables
Emergency Fix (Already broken in TEST)
If already promoted incorrectly:
- Repeat Step 2–3 in DEV
- Move a delta Update Set
- Commit in TEST
Pro Tip (Senior Dev trick)
Before promoting:
Update Set Preview → Compare to Target
Search for:
- sys_security_acl_role
If missing → don’t promote yet.
If my response has resolved your query, please consider giving it a thumbs up and marking it as the correct answer!
Thanks
Nayan Patel
IT ServiceNow Consult, ServiceNow ArchX
If my response has resolved your query, please mark it Helpful by giving it a thumbs up and Accept the Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi there @ShireeshaVemula
Ha this happens sometimes, try this just make it inactive and then make it active again, it will get captured.
Kind Regards,
Azar
Serivenow Rising Star ⭐
Developer @ KPMG.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
it does get captured in update set OOTB.
What do you mean by wrongly capturing?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
