Related to M2M table access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2025 10:09 AM
I have created M2M table to link Location and question tables.
In the catalog item, have 2 variables:
1. location- list collector - referencing to location table(cmn_location)
2.access card - list collector - referencing to m2m table.
The Issue is:
Admin users can see and select the values in the "Access card" list collector while submitting the catalog item data while submitting the catalog.
2.However, when I impersonate with non-admin user (who already has the appropriate table-level ACL's), the "Access Card" filed shows "no matches found".
Has anyone faced a similar Issue? is there a permission or ACL that I need to configure for non-admin users to access M2M table?
- Labels:
-
Tokyo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2025 10:33 AM
Hey @Sindhu P how are you?
In my experience this is a common issue when using List Collector variables with custom many-to-many (M2M) tables in ServiceNow, especially when they rely on references that admins can see by default, but end users cannot due to ACL restrictions.
Even if the user has table-level access to the M2M table itself, they also need read access to the referenced fields and the joined tables (in your case: cmn_location and question or any reference fields used in the M2M list).
I believe that you can follow this steps to try to solve it
1. Check ACLs for the M2M Table
Navigate to System Security > Access Control (ACL).
Search for your M2M table (e.g., u_location_question).
Ensure there is a read ACL that allows non-admin roles (e.g., users submitting the catalog item).
You may need to create a record ACL (*.*) with:
Operation: read
Condition: true or specific role/user criteria
Script (optional): validate if user is in a specific group
2. Check ACLs for Referenced Tables
Your list collector likely pulls data that includes references (like question name, location name). You must:
Check if the user has read access to:
cmn_location
question (or your custom question table)
Any display field (e.g., name, short_description) in those tables
Even if the user has access to the table, lack of read access to the display field (e.g., name) will result in “No matches found”.
3. Check the List Collector Reference Qualifier
Sometimes list collector variables use dynamic reference qualifiers or advanced reference qualifiers. If those include scripts or GlideRecord queries, make sure the non-admin user has access to:
The tables and fields used in those scripts
Avoid using gs.hasRole("admin") or gs.getUser() filters that exclude regular users unintentionally
4. Use “Security Debugging” Tools
Go to the user’s profile
Click Impersonate
Run: /sys_security_acl_list.do → filter by your M2M table
Then open a new tab and add ?sysparm_debug=security to the catalog item URL
Example:
/sc_cat_item.do?sys_id=xxxx&sysparm_debug=security
Submit the form → check the debug log for any Access Denied messages.
If it's urgent and security isn’t a blocker, you can:
Create a read ACL on the M2M table with “roles is empty” and condition is true, just to confirm the root cause.
Once verified, adjust the condition/script accordingly.
Try it and let me know if solve it.
Regards
