- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2026 12:53 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2026 04:59 AM
Hey @MustafaZ
Use a Before Query Business Rule when the requirement is to dynamically filter records at query time, whereas ACLs should always be used for enforcing security and access control.
Both serve different purposes and should not be treated as interchangeable.
Key Difference
ACL (Access Control Rule)
Controls who can access what (read, write, create, delete) at record and field level.
Before Query Business Rule
Controls which records are fetched from the database by modifying the query before execution.
When to Use ACL (Recommended Standard)
Use ACLs when:
- You need to enforce security
- You want to restrict record or field visibility
- Access must be controlled across all entry points (UI, API, reports, integrations)
Example:
- Only HR users should see salary details
- Restrict incident visibility based on roles
Reason:
ACLs are secure, consistent, and platform-standard.
When to Use Before Query Business Rule
Use a Before Query BR when:
- You need dynamic query filtering
- You want to limit records fetched from the database
- Logic is too complex for ACL conditions
- You are implementing data partitioning (e.g., region/user-based filtering)
Example:
(function executeRule(current, previous) {
current.addQuery('assigned_to', gs.getUserID());
})(current, previous);
This ensures only relevant records are queried, improving performance.
Important Consideration
Before Query Business Rules:
Improve performance
Control data retrieval
But do NOT guarantee security
Users may still access data via:
- Scripts
- APIs
- Background processing
Best Practice
- Use ACLs for security (mandatory)
- Use Before Query BR for performance and filtering
- For robust implementations, use both together
************************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2026 07:59 AM
Hi @MustafaZ,
In ServiceNow, ACLs are your main security gate. Whenever the requirement is about who should or shouldn’t access data, you go with ACLs. That’s the correct and safe approach.
Now, a before-query business rule comes into play when you don’t want to block access completely, but you want to control what data is shown to the user.
Let me know if these clear the doubts!!!!😉
If you find my answer useful, please mark it as Helpful and Correct. 😊
Regards,
Soham Tipnis
ServiceNow Developer || Technical Consultant
LinkedIn: www.linkedin.com/in/sohamtipnis10
