Anand Kumar P
Giga Patron
Giga Patron

ServiceNow Query ACLs – A Must-Have for Granular Data Security.

 

Have you ever thought that read access to a field in ServiceNow might still leave it vulnerable to blind query attacks?

 

Let’s talk about a powerful security enhancement: Query ACLs specifically, query_match and query_range.

 

What is a Query ACL?

A Query ACL allows you to define granular control over who can query data using filters, beyond just seeing it.

 

There are two types:
1. query_match – Controls safe exact match queries

Example:

You want users to query by email ID, such as:

Email = user@example.com
Email IS NOT EMPTY

But block wildcard queries like:

Email CONTAINS "@gmail.com"
Email STARTS WITH "john"

 

2. query_range – Controls range or pattern-based queries, which are more prone to abuse

Example:

Payroll Table – Protecting Salary Information
• You can view your own salary.
• But you shouldn’t be able to filter salaries like Salary BETWEEN 100000 AND 200000.

Add a query_range ACL to the salary field to block unauthorized range queries.


How They Work

—>query_match ACL

Allows safe operators:
• =, !=, IN, IS EMPTY, IS NOT NULL, etc.

 —>Used when filters are exact matches or null checks.

query_range ACL

—>Controls risky operators:
• >, <, >=, <=, STARTS WITH, CONTAINS, etc.

Important Behaviour:
• If no query ACL exists, the system defaults to read ACL.
• If any query_match or query_range ACLs exist, they override the default and must be explicitly granted.

Version history
Last update:
‎07-11-2025 11:37 AM
Updated by:
Contributors