Users with delete permissions cannot delete on a custom table

Tony V
Kilo Sage

3 hours ago - last edited 3 hours ago

I built a couple custom tables and granted delete permissions to a particular role,but users wiht that role still cannot delete records.

 

The custom tables are in the Global scope and are not extended from any other table.

When I created them the system automatically creates roles for each

   I did not create any UI or Data policies

   I did not create any UI actions - I am relying on the default global actions

I then created another role and added both of the table roles as child roles

I created read, write, create, and delete ACLs and added the parent role

I added the 'parent' role to a group

When I impersonate a user in the group they can read,  write, and create, but cannot delete.

In the list view the Delete option is grayed out on the context menu and when viewing in form view the Delete UI action is not visible.

When I, as an admin, go to the tables I can delete - that is Delete is not grayed out in the list view and I see the Delete UI action when in form view. So this is clearly a permission issue.

 

What did I overlook?

0 Helpfuls
  • 102 Views
1 REPLY 1

KrishnaMohan
Giga Sage

44m ago - last edited 44m ago

HI @Tony V 

Have to try/debug with Access Analyzer?

Access Analyzer is a lifesaver for this because it removes the "guesswork" of impersonating and clicking around. Since you are in a Global scope with custom tables, it will quickly pinpoint if the issue is a specific ACL, a missing role, or a table-level constraint.

Here is how to run the analysis to find your "missing" Delete permission:

1. Open Access Analyzer

In the Filter Navigator, go to System Security > Access Analyzer > Evaluate Access.

2. Configure the Test

Fill out the analyzer form as follows:

  • Analyze by: Select User or Role or Group.

  • User: Select the specific user you were impersonating (the one in the group with the parent role).

  • Rule type: Select Table (Record).

  • Table: Search for your custom table name.

  • Record: (Optional) If you have specific records with different conditions, select one. Otherwise, leave it blank to test general table access.

Click Analyze Permissions.

3 . Read the Results

The results will appear in a clean table showing Create, Read, Write, and Delete.

  • Look at the Delete row. It will likely show a red "Blocked" or "Denied" status.

  • Click the "Blocked" link in that row. This is the "magic" step—it will open a side panel or list showing exactly which ACLs were evaluated.

KrishnaMohan_0-1770341639506.png

KrishnaMohan_1-1770341794225.png

References: https://www.servicenow.com/community/platform-privacy-security-blog/vancouver-release-customers-gain...

 

If this helped to answer your query, please mark it helpful & accept the solution.
Thanks!
Krishnamohan

 

 

0 Helpfuls