Vendors Unable to View Questionnaires in TPRM SVDP Portal After Query Range ACL Update

anand-bhosle
Tera Guru

a week ago - last edited a week ago

🔹Introduction

In May 2025, ServiceNow introduced stricter ACL enforcement (query_range and query_match) at the platform level. While this change improved platform security, it unintentionally impacted some business-critical use cases in the Third-Party Risk Management (TPRM) SVDP Vendor Portal.

This post explains the issue, symptoms, root cause, and the resolution that worked for us, so others facing similar challenges can resolve it faster.

🔹Problem Statement

External vendors logging into the SVDP portal were able to:

  • Authenticate successfully.

  • Open their assigned assessments.

  • But could not see any questionnaires (new or existing).

Instead, vendors saw:

  • Portal message: “There are currently no questionnaires associated to this assessment.”

  • Error trace: “Part of the query on asmt_assessment_instance has been ignored because of insufficient access for 'query_range' operation…”

This blocked critical due diligence workflows, as vendors were unable to submit responses.

🔹Root Cause

  • Platform Change: In May 2025, ServiceNow introduced query_match and query_range ACLs across tables.

  • Impact on TPRM: These ACLs were automatically applied to the asmt_assessment_instance table used by TPRM.

  • Effect: Vendor contacts accessing the portal did not pass the new ACL conditions → questionnaires hidden.

  • Defect Reference: PRB1889679.

🔹Resolution

1. Short-Term Workaround

  • Replaced GlideRecordSecure with GlideRecord on all of our Vendor portal related widgets

  • Removed strict ACL checks (addEncodedQuery(<query>, true) → addEncodedQuery(<query>)).

  • Updated 23 GRC Vendor Portal files.

  • Validated successfully in Test/UAT.

2. Long-Term Fix

  • ServiceNow backported the official fix to Xanadu Patch 9.

  • We upgraded our TPRM application to a newer version [ 21.0.1. ]

  • Production upgrade  [Yokohoma] scheduled for October 2025 to permanently align with the OOB fix.

🔹Lessons Learned & Recommendations

  1. Stay current on platform patches – security ACL updates can silently break portal behavior.

  2. Regression testing – include portal ACL/visibility checks in UAT for future upgrades.

  3. Vendor communication plan – have a fallback process to keep vendors informed when portal access is blocked.

  4. Plan for upgrades – avoid relying on temporary update sets, since they are reverted in future upgrades.

We have also encounter query_range ACL erros in our custom scoped apps which we added new query_range acl and updated with scoped role which fixed our issue.

Happy to Answer any questions you may have. I hope this post help people who are looking for answer

Thanks
Anand

Labels:
0 Helpfuls
  • 244 Views
0 REPLIES 0