ACL "Requires role" shows (empty) but the role reference isn't actually empty — how to fix?

bharathbunny
Tera Contributor

Environment: Zurich, High Security active. Same behavior on dev/test/prod.

Impact: A user with only the snc_internal role can currently create, update, delete, and copy Service Catalog items, delete/update incidents and requested items (RITMs), and likely more — none of which they should be able to do. Security debug confirms it's really granting, not just showing buttons.

Several OOB ACLs (sc_cat_item create/write/delete) and UI Actions (e.g. "Copy") show their Requires role as (empty) , which is why this is happening.

But the role field isn't truly empty:

  • Roles like catalog_admin exist in sys_user_role.
  • On sys_security_acl_role  / sys_ui_action_role , filtering sys_user_role IS EMPTY or show matching returns nothing — so the field has a value but it renders as (empty) and doesn't enforce.
  • It affects many roles, not just catalog_admin. 

How do I fix this? Has anyone seen this after a clone/upgrade?
@Servicenow 

1 REPLY 1

brianlan25
Kilo Patron

I would contact ServiceNow Support. Something like this happened to me a few years back. They had to run a scrip to fix it.