ACL "Requires role" shows (empty) but the role reference isn't actually empty — how to fix?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
9 hours ago
Environment: Zurich, High Security active. Same behavior on dev/test/prod.
Impact: A user with only the snc_internal role can currently create, update, delete, and copy Service Catalog items, delete/update incidents and requested items (RITMs), and likely more — none of which they should be able to do. Security debug confirms it's really granting, not just showing buttons.
Several OOB ACLs (sc_cat_item create/write/delete) and UI Actions (e.g. "Copy") show their Requires role as (empty) , which is why this is happening.
But the role field isn't truly empty:
- Roles like catalog_admin exist in sys_user_role.
- On sys_security_acl_role / sys_ui_action_role , filtering sys_user_role IS EMPTY or show matching returns nothing — so the field has a value but it renders as (empty) and doesn't enforce.
- It affects many roles, not just catalog_admin.
How do I fix this? Has anyone seen this after a clone/upgrade?
@Servicenow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
I would contact ServiceNow Support. Something like this happened to me a few years back. They had to run a scrip to fix it.