Problem of ACL

aymane · 3 weeks ago

Hello,

Please could you help me with this problem, on the table sc_req_item

I have this query filter : company.nameLIKElafa^sys_created_onBETWEENjavascript&colon;gs.dateGenerate('2025-12-01','00:00:00')@javascript&colon;gs.dateGenerate('2026-01-13','23:59:59')^cat_item.price>javascript&colon;global.getCurrencyFilter('sc_cat_item','price', 'EUR;0').

However, i have a error message : Part of the query on sc_req_item has been ignored because of insufficient access for 'query_range' operation on sc_req_item.cat_item.price

I have verified my ACLs but I didn't figure out how to fixe it. Could you help me please ?

Chaitanya ILCR · 3 weeks ago

Hi @aymane ,

go to the ACLs and add this filter and see if you find any relevant ACLs and try disabling them

look for query_range ACLs sc_req_item.* or sc_req_item.cat_item or sc_cat_item.price or sc_cat_item.*

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

vaishali231 · 3 weeks ago

hey @aymane

This error occurs because ServiceNow enforces query ACLs separately from read ACLs.

Even if a user can read sc_cat_item.price, they may still not be allowed to use range operators (>, <, BETWEEN) on that field, especially when it is dot-walked from sc_req_item.

The error clearly indicates a missing query_range permission.

Option 1 : Add Query ACL on sc_cat_item.price

This is the cleanest and best solution.

Steps: Create a new ACL with the following values:

Type: Record

Table: sc_cat_item

Field: price

Operation: query_range

Set the same roles or conditions that already have read access to the price field

Save the ACL

This explicitly allows range filters (>, <, BETWEEN) on the price field and fixes the warning.

Option 2: Table-level query_range ACL

If you want to allow range filtering on multiple fields:

Table: sc_cat_item

Field: leave empty

Operation: query_range

Note:
This allows range queries on all fields of the table, so use only if acceptable from a security perspective.

Option 3: Avoid Dot-Walking

If ACL changes are not allowed

First query sc_cat_item and identify items matching the price condition

Then filter sc_req_item using:

cat_item IN <list of sys_ids>

*************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.

Regards
Vaishali Singh

SinghShailendra · 3 weeks ago

Since sc_req_item.cat_item is a reference field, create ACL on the dot-walked field:

Type: read
Name: sc_req_item
Field specification: cat_item.price
Operation: query_range
Requires role: [your_role]

Kindly Mark helpful if it makes sense.

Regards,
Shailendra

Ankur Bawiskar · 3 weeks ago

@aymane

approach from @Najmuddin Mohd and @Chaitanya ILCR should help you

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Tejas Adhalrao · 3 weeks ago

hi @aymane ,

n the latest ServiceNow versions, a new query range ACL is created automatically for some tables. This ACL controls who can run queries using operators like >, <, or BETWEEN.

That’s why your filter is failing — you don’t have access for this query range check.

To fix it, open the ACLs for that table (for example, sc_cat_item.price) and review the query range rule.

You can also use “Debug Security Rules” or the Script Debugger to see which ACLs are being checked in the background when your query runs.

If you found my solution helpful, please mark it as Helpful or Accepted Solution...!

thanks,

tejas

Email: adhalraotejas1018@gmail.com

LinkedIn: https://www.linkedin.com/in/tejas1018