Role of an ACL is not capturing in update set

ShireeshaVemula
Tera Contributor

Role of an ACL is not capturing in update set. It got wrongly capturing when it moved to test instance.

How to capture it?

5 REPLIES 5

Dr Atul G- LNG
Tera Patron

Hi @ShireeshaVemula 

 

https://www.servicenow.com/community/developer-forum/roles-modified-in-acl-are-not-getting-captured-...

 

https://www.servicenow.com/community/itsm-forum/does-acl-gets-captured-in-update-set/td-p/534883

 

*************************************************************************************************************
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]

****************************************************************************************************************

Nayan ArchX
Tera Guru

Ah yes — this is a classic ServiceNow ACL + Update Set trap
You’re not alone, and the fix is very specific.

Why this happens (important to understand)

ACLs are split across multiple tables:

  1. sys_security_acl
    → the ACL record itself
  2. sys_security_acl_role
    → the roles attached to the ACL
  3. sys_security_acl_condition / script (if used)

 Only the ACL record was captured in your Update Set
The role mapping record was not, so in TEST the ACL exists but has no roles (or wrong roles)

That’s why it behaves incorrectly after promotion.

Correct Way to Capture ACL Roles

Step 1: Identify the missing role record

In DEV:

  1. Go to the ACL record
  2. Right-click → Configure → ACL Roles
  3. Note the role(s) attached

Step 2: Manually capture the ACL Role mapping

  1. Navigate to:
  1. sys_security_acl_role.list
  1. Filter:
    • ACL = your ACL name
  2. You’ll see records like:
    • ACL = cmdb_ci_service.read
    • Role = snc_internal (example)

 Step 3: Add them to the Update Set

For each record:

  1. Open the record
  2. Right-click header → Add to Update Set
  3. Confirm it’s added

This is the step most people miss

Step 4: Verify Update Set completeness

Your update set must contain:

  • sys_security_acl
  • sys_security_acl_role
  • sys_security_acl_condition (if used)

AFTER moving to TEST

Step 5: Validate in TEST

  1. Open the ACL
  2. Go to Roles related list
  3. Ensure roles are present
  4. Impersonate a user → test access

Best Practice Going Forward

 Always use this method when creating ACLs:

  1. Create ACL
  2. Save
  3. Add roles
  4. Save again
  5. Verify Update Set captured both tables

Emergency Fix (Already broken in TEST)

If already promoted incorrectly:

  • Repeat Step 2–3 in DEV
  • Move a delta Update Set
  • Commit in TEST

Pro Tip (Senior Dev trick)

Before promoting:

Update Set Preview → Compare to Target

Search for:

  • sys_security_acl_role
    If missing → don’t promote yet.

 

 

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

 

Thanks

Nayan Patel

IT ServiceNow Consult, ServiceNow ArchX

If my response has resolved your query, please mark it Helpful by giving it a thumbs up and Accept the Solution

Its_Azar
Kilo Sage

Hi there @ShireeshaVemula 

Ha this happens sometimes, try this just make it inactive and then make it active again, it will get captured.

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star
Developer @ KPMG.

Ankur Bawiskar
Tera Patron

@ShireeshaVemula 

it does get captured in update set OOTB.

What do you mean by wrongly capturing?

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader