- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-11-2025 11:37 AM
ServiceNow Query ACLs – A Must-Have for Granular Data Security.
Have you ever thought that read access to a field in ServiceNow might still leave it vulnerable to blind query attacks?
Let’s talk about a powerful security enhancement: Query ACLs specifically, query_match and query_range.
What is a Query ACL?
A Query ACL allows you to define granular control over who can query data using filters, beyond just seeing it.
There are two types:
1. query_match – Controls safe exact match queries
Example:
You want users to query by email ID, such as:
Email = user@example.com
Email IS NOT EMPTY
But block wildcard queries like:
Email CONTAINS "@gmail.com"
Email STARTS WITH "john"
2. query_range – Controls range or pattern-based queries, which are more prone to abuse
Example:
Payroll Table – Protecting Salary Information
• You can view your own salary.
• But you shouldn’t be able to filter salaries like Salary BETWEEN 100000 AND 200000.
Add a query_range ACL to the salary field to block unauthorized range queries.
How They Work
—>query_match ACL
Allows safe operators:
• =, !=, IN, IS EMPTY, IS NOT NULL, etc.
—>Used when filters are exact matches or null checks.
query_range ACL
—>Controls risky operators:
• >, <, >=, <=, STARTS WITH, CONTAINS, etc.
Important Behaviour:
• If no query ACL exists, the system defaults to read ACL.
• If any query_match or query_range ACLs exist, they override the default and must be explicitly granted.
- 474 Views