- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 07:49 AM
Hi Community,
I have a servicenow instance where I have been tasks with implementing new ACLs to segregate data.
I have a requirement to security test these ACLs. Some of the team have suggested that a pen test will cover this but I am not sure, in my opinion we will need to write specific test cases to check all the permission requirements we have implemented.
Can you please advise / help on this?
Cheers
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 08:03 AM - edited 08-14-2025 10:49 AM
For ACL validation, you’ll want to write specific functional test cases based on your permission requirements. This includes:
Positive tests – Confirm users with the correct roles can read/update/create/delete the intended records/fields.
Negative tests – Confirm users without access cannot see or modify restricted data, even via indirect methods (list views, reports, related lists, API calls, etc.).
Edge cases – Test impersonation, role inheritance, and when ACL scripts return conditional results.
NOTE : Yes, you need to write specific test cases to check all the permission requirements.
Shashank Jain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 08:03 AM - edited 08-14-2025 10:49 AM
For ACL validation, you’ll want to write specific functional test cases based on your permission requirements. This includes:
Positive tests – Confirm users with the correct roles can read/update/create/delete the intended records/fields.
Negative tests – Confirm users without access cannot see or modify restricted data, even via indirect methods (list views, reports, related lists, API calls, etc.).
Edge cases – Test impersonation, role inheritance, and when ACL scripts return conditional results.
NOTE : Yes, you need to write specific test cases to check all the permission requirements.
Shashank Jain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 05:16 PM
Hi @AnthonyMull ,
You should know about what pen test will cover most of the time it is like testing External attack surface, auth flows, session handling, etc.
Functional security testing (you need to do this)
Test “allow” and “deny” behavior for every table/field/operation per requirements.
Validates business context (assignment_group, company, region, state) and script logic in ACLs.
You can make strategy something like Test CRUD operation queries for each table and key fields. Test both positive and negative scenarios across roles, groups, impersonations, and data contexts. For this you may test from UI lists and forms, REST API, scripts, ATFs.
Classify your ACLs by table, operation, type, fields, any dependencies, expected results. Document exact roles, groups, and domain for each persona.
Thanks,
Bhimashankar H
-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2025 10:56 AM
If the solution was helpful, could you please mark it as accepted and close the thread.
Thank you!
Shashank Jain
