I've recently seen some odd behavior in our dev instance after we turned on Service Portal to start our development.   After some digging, I figured out that the Explicit Roles plug-in (normally activated by request only) is automatically activated when Service Portal is activated.   The first clue was that users who were previously able to read a couple of fields on the ast_contract table could no longer read them.   I checked the read ACLs for those fields and they were configured wrong.   Then I checked our dev and production instances, and those ACLs don't even exist there, so presumably they were created as part of the Explicit Roles activation.   In test, we have 7856 ACLs, in dev (where SP is activated), we have 8394 ACLs, so I would expect to have 538~ ACLs created on the same day that we activated SP.   But I don't.   When I look at the read ACL mentioned earlier, it has a create date of 8/27/15.

The only explanation I can come up with is that the ACL is retaining the date that it was created where ever it was created, but not the date it was created in my instance.   It would certainly make it easier for me to filter out and check the ACLs that were created with the plug in if their create dates all matched.

This is really just a rant, and perhaps a suggestion to the SNow development staff - if you are going to insert ACLs via plug-in, could you make it so the create date reflects the date it was created in our instance, not the date it was created *somewhere*.   And if you are going to put conditions in ACLs, perhaps they should be correct conditions.   In my case, the number field on the ast_contract table was only readable if the contract model was one that we aren't even using.

Am I the only one disliking this Explicit Roles forced activation?