When do we use Before Query BR over ACLs?

Go to solution
MustafaZ
Tera Contributor

‎04-26-2026 12:53 AM

 
0 Helpfuls
  • 1,024 Views
1 ACCEPTED SOLUTION

Go to solution
vaishali231
Kilo Sage

‎04-26-2026 04:59 AM

Hey @MustafaZ 

Use a Before Query Business Rule when the requirement is to dynamically filter records at query time, whereas ACLs should always be used for enforcing security and access control.

Both serve different purposes and should not be treated as interchangeable.

 

Key Difference

ACL (Access Control Rule)
Controls who can access what (read, write, create, delete) at record and field level.

Before Query Business Rule
Controls which records are fetched from the database by modifying the query before execution.

 

When to Use ACL (Recommended Standard)

Use ACLs when:

  1. You need to enforce security
  2. You want to restrict record or field visibility
  3. Access must be controlled across all entry points (UI, API, reports, integrations)

Example:

  • Only HR users should see salary details
  • Restrict incident visibility based on roles

Reason:
ACLs are secure, consistent, and platform-standard.

 

When to Use Before Query Business Rule

Use a Before Query BR when:

  1. You need dynamic query filtering
  2. You want to limit records fetched from the database
  3. Logic is too complex for ACL conditions
  4. You are implementing data partitioning (e.g., region/user-based filtering)

Example:

(function executeRule(current, previous) {

   current.addQuery('assigned_to', gs.getUserID());

})(current, previous);

This ensures only relevant records are queried, improving performance.

 

Important Consideration

Before Query Business Rules:

     Improve performance

    Control data retrieval

    But do NOT guarantee security

Users may still access data via:

  • Scripts
  • APIs
  • Background processing

 

 Best Practice

  1. Use ACLs for security (mandatory)
  2. Use Before Query BR for performance and filtering
  3. For robust implementations, use both together

************************************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh












View solution in original post

5 REPLIES 5

Go to solution
Dr Atul G- LNG
Tera Patron

‎04-26-2026 04:06 AM

Hi @MustafaZ 

 

https://www.servicenow.com/community/developer-articles/query-business-rules-vs-acl-comparison/ta-p/....

 

https://www.linkedin.com/posts/ramyakottala_a-real-interview-moment-servicenow-share-742047620823006...

 

https://www.servicenow.com/community/developer-articles/performance-best-practice-for-before-query-b...

 

*************************************************************************************************************
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]

****************************************************************************************************************

Go to solution
vaishali231
Kilo Sage

‎04-26-2026 04:59 AM

Hey @MustafaZ 

Use a Before Query Business Rule when the requirement is to dynamically filter records at query time, whereas ACLs should always be used for enforcing security and access control.

Both serve different purposes and should not be treated as interchangeable.

 

Key Difference

ACL (Access Control Rule)
Controls who can access what (read, write, create, delete) at record and field level.

Before Query Business Rule
Controls which records are fetched from the database by modifying the query before execution.

 

When to Use ACL (Recommended Standard)

Use ACLs when:

  1. You need to enforce security
  2. You want to restrict record or field visibility
  3. Access must be controlled across all entry points (UI, API, reports, integrations)

Example:

  • Only HR users should see salary details
  • Restrict incident visibility based on roles

Reason:
ACLs are secure, consistent, and platform-standard.

 

When to Use Before Query Business Rule

Use a Before Query BR when:

  1. You need dynamic query filtering
  2. You want to limit records fetched from the database
  3. Logic is too complex for ACL conditions
  4. You are implementing data partitioning (e.g., region/user-based filtering)

Example:

(function executeRule(current, previous) {

   current.addQuery('assigned_to', gs.getUserID());

})(current, previous);

This ensures only relevant records are queried, improving performance.

 

Important Consideration

Before Query Business Rules:

     Improve performance

    Control data retrieval

    But do NOT guarantee security

Users may still access data via:

  • Scripts
  • APIs
  • Background processing

 

 Best Practice

  1. Use ACLs for security (mandatory)
  2. Use Before Query BR for performance and filtering
  3. For robust implementations, use both together

************************************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh












Go to solution
vaishali231
Kilo Sage
In response to vaishali231

‎04-28-2026 12:37 AM

Hey @MustafaZ 

Hope you are doing well.

Did my previous reply answer your question?

If it was helpful, please mark it as correct ✓ and close the thread . This will help other readers find the solution more easily.

 

Thankyou & Regards

Vaishali Singh

Servicenow Developer
Linkedin - https://www.linkedin.com/in/vaishali-singh-2273361bb



Go to solution
Tanushree Maiti
Tera Patron

‎04-26-2026 06:48 AM

Hi @MustafaZ 

 

A Before Query Business Rule in ServiceNow is a specialized business rule used to control which records users can access within a table.

It executes before a database query runs, allowing you to adjust or add conditions to the query. This helps filter the returned data based on factors like domain separation or other access criteria.

 

Use Cases for Before Query Business Rules:

1.When ACLs restrict records in a list, users typically see a message indicating that some records have been hidden. In contrast, a Before Query Business Rule modifies the query before it runs, ensuring that only permitted records are retrieved in the first place—so users see only what they’re allowed to access, without any indication that other records exist.

2. This approach is especially useful when security requirements are complex and rely on dynamic conditions rather than simple role-based access.  etc

 

Refer:

Query Business Rules vs. ACL - comparison

Before Query Business Rule & Dynamic Filter Use Case

Performance Best Practice for Before Query Business Rules

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti