The record is not accessible to the user due to Query business rules or Domain separation security.

Cirrus · ‎01-22-2025

Afternoon,

In a new custom app, we have several reference fields to the sys_user table. As admin, I can select users to populate these fields, but as a user with the scoped app role, they can see the reference fields but they show no users to display. The only acls on the scoped app currently are the 4 CRWD created automatically with the table.

When I ran access analyzer for a user against one of the refernce fields and it passed, but a warning message appeared -

Has anyone come across this before and is it easy to resolve?

Sanjay191 · ‎01-22-2025

Hello @Cirrus

1. Check for Query Business Rules

Query Business Rules can filter out records based on conditions.

Navigate to: System Definition > Business Rules.
Look for active query business rules on the sys_user table.
Check if any of them are restricting the visibility of user records for scoped app roles.
Solution: Modify or disable the business rule, or adjust the logic to ensure that users with the scoped app role can access the relevant user records.

2. Verify Domain Separation Settings

If domain separation is enabled, users might not be able to see records outside their assigned domain.

Navigate to: System Properties > Domain Separation.
Check if domain separation is active for your instance.
Ensure the users with the scoped app role belong to the correct domain to view the required sys_user records.
Solution: Either assign users to the appropriate domain or adjust domain visibility rules.

3. Add Scoped Role Access to the sys_user Table

Scoped apps often require explicit access to global tables like sys_user.

Navigate to: System Definition > Application Access for your scoped app tables.
Verify the "Can Read" and "Can Read From" settings.
- Ensure the scoped app role has read access to the sys_user table.
- Check the "Accessible from" field on the table settings.
  - If it’s set to This application scope only, change it to All application scopes.

4. Add Explicit ACLs for the sys_user Table

If the scoped app role does not inherit ACL permissions for the sys_user table:

Navigate to: System Security > Access Control (ACL).
Filter by sys_user in the Name column.
Create new ACLs for sys_user:
- Type: Record
- Operation: Read
- Condition: Ensure the scoped app role is included in the role conditions.

5. Debug and Test with Access Analyzer

Once changes are made:

Use the Access Analyzer to validate that the scoped app role now has the necessary access.
Test with a user who has only the scoped app role to confirm the reference field populates correctly.

6. Review and Adjust the Reference Qualifier

A Reference Qualifier might be applied to the reference field, restricting which users appear in the dropdown.

If my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.
Thank You

Ankur Bawiskar · ‎01-22-2025

@Cirrus

OOB there is a query BR on sys_user table which might be restricting it.

Did you check the user with whom you are checking what they see when they visit sys_user.LIST?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · ‎01-22-2025

@Cirrus

Hope you are doing good.

Did my reply answer your question?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader