debugging security constraint errors

Go to solution
jackiemcnabb
Giga Contributor

‎04-26-2017 12:52 PM

when user is viewing a list of incidents (or tasks) they will get a message "Some rows removed from this list by Security constraints"  What does this mean and how can I figure out what it causing it?  We get it on various screens and chalk it up to permissios of some kind but I would really like to know how to get to the bottom of it becuase users who seemingly have the same exact groups and roles are seeing differnt records....  Please help.

Labels:
0 Helpfuls
  • 3,079 Views
1 ACCEPTED SOLUTION

Go to solution
randrews
Tera Guru

‎04-26-2017 01:06 PM

there are two ways to debug this... quick and dirty and longer/slower...



quick and dirty... go to system security and disable all read rules on the table...


        now verify they load ok as the user.


        turn the rules back on one at a time and see which one breaks the user




longer slower...


        as admin in system security turn on debug security rules.


        impersonate the user


        now try to load the list view


        the bottom of the page will show ALL security rules and the results... look for the one with the red X in the left side <or ones>


        the boxes will tell you if it failed on condition, script, roles, or all three.. and you can fix the rule from there...




in a case like this i will generally NOT update the existing rule but create a new read rule to grant access.


View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
edwajs
ServiceNow Employee
ServiceNow Employee

‎04-26-2017 04:12 PM

Hi Jackie,



This is a standard message from ACLs, and is based on the way they work.



When you are looking at a list view of records, you have executed a query against the database and retrieved the matching records.   Once the data is retrieved, ACLs are evaluated and applied.   If you do not pass the ACL, the data is discarded and not included in the result sent to the browser.



The best way to debug ACLs is to turn on System Diagnostics > Session Debug > Debug Security, navigate to the list in question, and check the reject messages. You can hover over the red X icons in the output and it will show you if the ACL failed because of the conditions, roles, or script in the ACL.   Further, you can click on the icon and it will take you to the ACL record.



As Raymond indicated in his reply, this default output can be verbose.   This is because you are seeing all the ACLs applied to each record and field in the list.   Here is a trick to limit the output to only the ACLs that fail:


1.   Navigate to Scripts - Background


2.   In the 'Run script (JavaScript executed on server)' box, paste this line of code: GlideSessionDebug.enable("security_refuse");


3.   Click the 'Run script' button



Also, per Jacob's response, most people dislike these messages, so they frequently combine a before-query business rule with ACLs so the data in question is never fetched from the database in the first place.



Ed Wajs


ServiceNow Technical Support


Go to solution
shivanipatel
ServiceNow Employee
ServiceNow Employee

‎05-17-2017 03:17 PM

Jackie,



We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.



If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.



If you are viewing this from the Community inbox you will not see the correct answer button.   If so, please review How to Mark Answers Correct From Inbox View.



Unknown-1-1.png



Thanks!



Shivani Patel


Preview file
12 KB
0 Helpfuls