How to have a custom role give read only access to all records on the Incident table
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello. On my Personal Developer Instance (for testing purposes), I created a new user and a new role. The user's name is Carlos Pitman. The role that I created is named incident_reader. I assigned the incident_reader role to Carlos.
I then created an allow if read acl rule for the incident table that has incident_reader as the role. When I impersonated Carlos, he was not able to see any records on the incident table. I added the incident_reader role to existing incident read ACLs (out of the box ACLs already created by default in the PDI), but Carlos still could not see any records on the incident table.
I only want to give Carlos read only access to the incident table. How do I get this new user (Carlos Pitman) with the custom role of incident_reader to gain read only access to the incident table without assigning any more roles to him?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hi @Daniel210 ,
If you want to provide read access to incidents then simply assign OOTB role "sn_incident_read" to the user
And reasons why custom role/acl is not working:
- ServiceNow ACL evaluation requires all matching ACL rules to return true for an operation (read, write, etc.).
- Out-of-the-box (OOB) incident read ACLs often include conditions like:
- role = itil or other roles
- script checks (e.g., user must be in certain groups)
- Adding your custom role to those ACLs doesn’t override other conditions—they still fail if Carlos doesn’t meet them.
- Your new ACL (allow if read) only grants access if no other ACL denies it. Since OOB ACLs exist, they still block Carlos.
To give read-only access without adding more roles then Create a Single Inclusive Read ACL
- Navigate to System Security > Access Control (ACL).
- Filter for incident.* and operation = read.
- Deactivate or adjust OOB ACLs for read (or clone them if you want to preserve defaults).
- Create a new ACL:
- Type: record
- Operation: read
- Name: incident.*
- Requires role: incident_reader
- Condition: leave blank (or add logic if needed)
- Script: leave blank
- Ensure this ACL is the only one evaluated for read (or that all others allow access).
If I could help you with your Query then, please hit the Thumb Icon and mark as Correct !!
Thanks, GP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @Daniel210
ServiceNow has a default "Before Query" Business Rule on the Incident table. Its job is to filter out data at the database level before it reaches the user.
Currently, that rule says: "If the user does NOT have the ITIL role, only show them tickets where they are the Caller or the Opener."
Since Carlos has your custom role (and not ITIL) and is likely not the Caller on those existing incidents, the database returns 0 records. Your ACLs are never triggered because no records are being retrieved.
You need to modify this Business Rule to include your new role in the "allow" list.
Go to business rules list view and Search for the name: incident query
Look at the Script field. You will see a line that looks like this:
if (!gs.hasRole("itil") && ........... {update this line to check for your new role as well. Change it to:
// Check if user lacks ITIL AND lacks incident_reader
if (!gs.hasRole("itil") && !gs.hasRole("incident_reader") && .............. {
Happy to help! If this resolved your issue, kindly mark it as the correct answer ✅ and Helpful and close the thread 🔒 so others can benefit too.
Warm Regards,
Deepak Sharma
Community Rising Star 2025
