GRC Tasks dont show the Risk Assessment for Business User Lite or other GRC Roles

Henrik Alt
Tera Contributor

‎04-27-2026 12:33 AM

Hello All,

im facing an issue as in the GRC Tasks i only see the Risk Assessments when i have an admin user, for everyone else this is just hidden eventhough those users have a risk assessment assigned.

We have several instances but ever since our production was upgraded i do not see them anymore, i crawled through the UI Builder but i didnt see anything that could cause this, do any of you have an idea about that? thanks in advance!

 

 

SNGRCTasks.png

 

0 Helpfuls
  • 857 Views
8 REPLIES 8

itsanupam81
ServiceNow Employee
In response to Henrik Alt

2 weeks ago

@Henrik Alt You are most likely experiencing this issue due to missing query_range acl on the risk assessment instance table due to an instance level change that happened in May, 2025. Therefore, you are experiencing this immediately after the upgrade.

If you've recently seen one of your GRC users open a workspace and find an empty list — or hit a cryptic banner that mentions "insufficient access for 'query_range' operation" — you're not configuring something wrong. You're seeing the downstream effect of a platform security change that quietly reshaped how every list query is evaluated.

Here's what changed, why it matters specifically for IRM, TPRM, and Compliance teams, and what to do when it bites.

 

The error you'll actually see

 
Part of the query on [table] has been ignored because of
insufficient access for 'query_range' operation on [table.field]

The query still runs. The unauthorized filter clause is just silently dropped. That's why symptoms usually look like "the list is empty" or "the business user can't find their assessment" rather than a hard authorization failure — making this one of the harder ACL issues to diagnose in production.

 

What query_range actually is

query_range is an ACL operation — sitting alongside read/write/create/delete — that governs whether a user can apply range or pattern operators (>, <, >=, <=, starts with, ends with, contains, between) to a field. Its sibling query_match governs the safer exact-match operators (=, !=, IN, IS EMPTY).

The operation type itself isn't new. What changed in May 2025 is that ServiceNow flipped the global *.* query_range ACL to default deny and auto-generated thousands of new query_range ACLs across the platform. Before the patch, range queries were effectively wide open unless explicitly blocked. After the patch, they're blocked unless explicitly allowed.

 

How to fix it (when an OOB patch isn't available)

Create a parallel Record ACL that mirrors the read ACL but uses the query_range operation:

  • Operation: query_range
  • Name: table.field (or table.* for table-wide coverage)
  • Roles: the same roles your existing read ACL grants

Two practical caveats:

  1. If the corresponding read ACL has a security attribute, the parallel query_range ACL should mirror it without the security attribute. The security attribute lives on read; the query layer just needs the role match.
  2. Sometimes query_match is the right answer instead. If the operators users actually need are =, !=, or IN, build a query_match ACL — ServiceNow Support has flagged this on a few cases (see KB2130442).

Review these articles: 

Missing ACLs on initial Compliance Management Workspace setuphttps://www.servicenow.com/community/grc-forum/missing-acls-on-initial-compliance-management-workspa...

 

Query ACLs

https://www.servicenow.com/community/developer-blog/query-acls/ba-p/3273676

 

Find below knowledge articles on ServiceNow support:

KB2046494 (May 2025 Maintenance) ·

KB2130442 (query_range troubleshooting).

 

Hope this helps.

0 Helpfuls

Sebastien Fix
Giga Guru
In response to sarah_bioni

2 weeks ago

@sarah_bioni 

 

we notice this behavior on a client instance where predictive intelligence is installed; where the role platform_ml_read becomes required all of the sudden, and that role is only inherited as part of the risk admin role

0 Helpfuls

Sai Krishna Kot
ServiceNow Employee

‎05-04-2026 02:37 AM

Hi @Henrik Alt ,
Did you notice any errors on the GRC tasks page when you clicked the 'Risk assessments' tab?

0 Helpfuls

Marek Remi_
Tera Expert

a week ago

Hey @Henrik Alt ,  As @itsanupam81 mentioned, please check for Query Range ACLs.

We have seen the same issue on multiple instances. The point is that GRC Tasks use Query Range ACLs, and if those ACLs are missing from the system, the records will not appear as expected.

It is possible to run a script that creates the Query Range ACLs for the entire instance, similar to what ServiceNow provided when this ACL type was originally introduced.

Could you check whether Query Range ACLs exist in your instance? Y
ou can use the URL below to check for ACLs related to the Assessment Instance table. Just replace <YOUR_INSTANCE> with your instance name:


https://<YOUR_INSTANCE>.com/now/nav/ui/classic/params/target/sys_security_acl_list.do%3Fsysparm_quer...

Let me know what you find.


Preview file
73 KB
0 Helpfuls