Hey @MustafaZ 

Use a Before Query Business Rule when the requirement is to dynamically filter records at query time, whereas ACLs should always be used for enforcing security and access control.

Both serve different purposes and should not be treated as interchangeable.

Key Difference

ACL (Access Control Rule)
Controls who can access what (read, write, create, delete) at record and field level.

Before Query Business Rule
Controls which records are fetched from the database by modifying the query before execution.

When to Use ACL (Recommended Standard)

Use ACLs when:

1. You need to enforce security
2. You want to restrict record or field visibility
3. Access must be controlled across all entry points (UI, API, reports, integrations)

Example:

• Only HR users should see salary details
• Restrict incident visibility based on roles

Reason:
ACLs are secure, consistent, and platform-standard.

When to Use Before Query Business Rule

Use a Before Query BR when:

1. You need dynamic query filtering
2. You want to limit records fetched from the database
3. Logic is too complex for ACL conditions
4. You are implementing data partitioning (e.g., region/user-based filtering)

Example:

(function executeRule(current, previous) {

   current.addQuery('assigned_to', gs.getUserID());

})(current, previous);

This ensures only relevant records are queried, improving performance.

Important Consideration

Before Query Business Rules:

     Improve performance

    Control data retrieval

    But do NOT guarantee security

Users may still access data via:

• Scripts
• APIs
• Background processing

 Best Practice

1. Use ACLs for security (mandatory)
2. Use Before Query BR for performance and filtering
3. For robust implementations, use both together

************************************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh

Hi @MustafaZ 

Use Cases for Before Query Business Rules:

1.When ACLs restrict records in a list, users typically see a message indicating that some records have been hidden. In contrast, a Before Query Business Rule modifies the query before it runs, ensuring that only permitted records are retrieved in the first place—so users see only what they’re allowed to access, without any indication that other records exist.

2. This approach is especially useful when security requirements are complex and rely on dynamic conditions rather than simple role-based access.  etc

Refer:

Query Business Rules vs. ACL - comparison

Before Query Business Rule & Dynamic Filter Use Case

Performance Best Practice for Before Query Business Rules

Hi @MustafaZ,

In ServiceNow, ACLs are your main security gate. Whenever the requirement is about who should or shouldn’t access data, you go with ACLs. That’s the correct and safe approach.

Now, a before-query business rule comes into play when you don’t want to block access completely, but you want to control what data is shown to the user.

Let me know if these clear the doubts!!!!😉

If you find my answer useful, please mark it as Helpful and Correct. ‌‌😊

Regards,
Soham Tipnis
ServiceNow Developer || Technical Consultant
LinkedIn: www.linkedin.com/in/sohamtipnis10