Persona: Admins, architects, and developers who own access control configuration

 

Overview

If you are done tolerating guesswork in access debugging and you want deterministic visibility, clean diagnostics, and prescriptive actions. With Access Analyzer and ServiceNow’s ACL Debugging Tools, you have the right tools to understand why users can-or cannot-access a record, field, UI page, script include, or REST endpoint.

This guide operationalizes those tools into a repeatable playbook for you to run in minutes-not hours.

 

Start with the Source of Truth: Access Analyzer

Access Analyzer answers the most painful question in identity governance:

• "What exactly does this user have access to, and why?"

The tool impersonates identities and evaluates access to tables, records, fields, UI pages, client-callable script includes, and REST APIs.

 

When to Use It

Use Access Analyzer upfront whenever you hear:

• "User cannot see a field."
• "Role was added and they still have no access."
• "Why does user A see more than user B?"
• "Which ACL is blocking my integration?"

This is not optional - this is your first line of triage.

 

What It Actually Evaluates

Access Analyzer runs a strict evaluation hierarchy to determine permissions, exactly in this sequence:

• Business Rules
• Access Control Lists (ACLs)
• Security Data Filters

If any of those layers deny access, the rest will short-circuit.

 

Key UI Elements That Matter

• Passed / Blocked / Skipped / Undefined statuses for each operation (read, write, delete, etc.)
• Alert Icons showing an ACL script is involved-expect conditional logic or custom code to be driving behavior.
• Debug Logs that reveal exactly which ACL passed, which were skipped, and which rule contributed to the final outcome.

 

Compare Access for Root-Cause Analysis

Comparing two users reveals role, group, and ACL state differences with precision:

• Level 1: roles, groups, user attributes
• Level 2: actual access control evaluation differences for a table/record/field

When a new hire asks "Why do I not see what my coworker sees?", this is your silver bullet.

 

Go Deeper with ACL Debugging Tools

Once Access Analyzer tells you what happened, ACL debugging tools tell you how and where it happened.

 

Enable Field-Level Debugging

Turning on Debug Security Rules exposes bug icons next to each field with direct visibility into ACL evaluation results and order.

This is the fastest way to:

• Confirm ACL evaluation order
• Identify field vs. table ACL collisions
• See real-time pass/fail results per ACL rule
• Validate role, condition, and script behavior

 

ACL Rule Output Messages Reveal the Execution Path

Every debug output block includes:

• TIME - total ACL evaluation time
• PATH - rule type/name/operation uniquely identifying the ACL
• CONTEXT - object being evaluated
• RC - return code (true/false)
• Detailed breakdown:
  • IAccessHandler
  • Roles
  • Security Attributes
  • Data Conditions
  • Controlled By Reference
  • Script logic

This is your ground truth for confirming if the ACL you think is running… is actually running.

 

ACL Configuration Watcher Prevents Misconfigurations

When modifying ACLs, the ACL Configuration Watcher pops up showing:

• Which ACLs will be added
• Which will be masked or overridden
• Which ACLs downstream will be impacted

If you're not using this, you're basically editing ACLs blindfolded.

 

Common Scenarios and Fast Solutions

Below are the enterprise-ready patterns every admin sees-and the fastest fix path.

 

Scenario 1 - User Can't Access a Custom Table

• Cause: No explicit table ACL exists. User falls into wildcard behavior which defaults to admin-only.

Fix:

• Create proper table-level ACLs for the custom table.
• Use Access Analyzer à Evaluate Access to confirm role access.

 

Scenario 2 - Field ACL Doesn't Work

• Cause: A table ACL is failing first, short-circuiting field ACLs.

Fix:

• Debug Security Rules à Check table-level ACLs that run before fields.

 

Scenario 3 - Scripted ACL Permits Access, But Analyzer Shows an Alert

• Cause: The ACL script is in play. Analyzer marks the operation as Passed with Alert icon.

Fix:

• Open Debug Logs
• Inspect Script evaluation
• Validate GlideRecord queries and returned booleans

 

Scenario 4 - User Can See Field in List but Not in Form

• Cause: Conditions or scripts behave differently by UI context (lists vs. forms).

Fix:

• Verify ACL condition/script consistency across UIs.
• Test via impersonation + Debug Security Rules.

Scenario 5 - REST API Access Denied

• Cause: Missing execute ACL for REST endpoint; Access Analyzer supports only execute for REST calls.

Fix:

• Evaluate Access ‚Üí REST Endpoint
• Verify required roles
• Check IAccessHandler in debug logs (cannot be overridden)

 

Proactive Access Design: Simulate Before You Deploy

The Access Simulator allows you to preview access impact when adding/removing roles or groups-before you commit changes.

• Add Role
• Remove Role
• Add to Group
• Remove from Group

All with access impact visualization on a chosen table/record/field.

This reduces production issues and speeds governance approvals.

 

Recommended Steps

1. Reproduce the issue as the user (impersonate)
2. Evaluate Access in Access Analyzer
   1. Identify which layer blocked access
3. Open Debug Logs
   1. Validate business rules, ACLs, Security Data Filters
4. Run Field-Level ACL Debugging
   1. Observe table/field ACL pass/fail in real time
5. Compare Access (User vs. User)
   1. Identify missing roles or conflicting ACL behavior
6. Simulate Change with Access Simulator
   1. Validate fix before applying
7. Implement update (roles/groups/ACL adjustments)
8. Re-evaluate using Access Analyzer & impersonation

This workflow helps you debug access-related tickets with confidence.

 

Additional Resources

For more information, consult the following ServiceNow documentation:

• ServiceNow University – Introduction to Access Controls
• Access Control List Rules Documentation
• Security Data Filters Documentation
• New Access Control Features (Xanadu/Yokohama/Zurich)
• Planning your access control strategy
• Configure ACLs the right way