What is ACL operation conditional_table_query_range?

Michael255
Kilo Sage

‎05-14-2025 07:49 PM - edited ‎05-14-2025 08:13 PM

Hi all... with the latest security maintainance the system created many ACLs for operation:

 

conditional_table_query_range

 

I am trying to plan fixes for what the maintenance missed, and I seems I may need to create some of these, but there is zero documentation I can find for this operation.

 

Operation 'query_range', I understand, but it is odd that conditional_table_query_range is unmentioned (unless I have missed it)

 

One thing I have noticed is that query_range acls made by the system are always for role 'public' and the conditional_table_query_range ones have other roles attached.

0 Helpfuls
  • 4,384 Views
8 REPLIES 8

Mark Manders
Mega Patron

‎05-14-2025 11:39 PM

https://www.linkedin.com/posts/cchu124_understanding-servicenows-may-2025-query-activity-73282822129...

 


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
0 Helpfuls

Michael255
Kilo Sage
In response to Mark Manders

‎05-15-2025 12:01 AM

Unfortunately this link doesn't mention anything about the operation in question.

Daniel Oderbolz
Kilo Sage
In response to Mark Manders

‎05-17-2025 01:35 AM

As I discussed in my comment I think the analysis of this article is incomplete and contains incorrect information.

The operations "query_range" and "query_match" existed at least since the Washington D.C release.

And as others have pointed out, the article does not discuss "conditional_table_query_range", which I think is the key component here.

 


If this answer was helpful, I would appreciate if you marked it as such - thanks!

Best
Daniel

B_39
Tera Guru

‎05-15-2025 06:40 AM

Hi Michael,

This operation will only be checked from compound security attributes using a SAB_* security attributes. The SAB_* calls:
new global.SNCAPICallWrapper().hasRightsToConditionalTableQueryRange([table_name_here]);

The wrapper does than call the security manager to check if the user has access to this path:
"record/" + tableName + "/conditional_table_query_range";
So in most cases I saw, you end up having this ACL check the ACL with the mentioned operation, which does hold roles derived from the already implemented ACLs (still trying to figure out, when which role will be used).

This means you might want to check if the automated setup is missing some of your processes roles.
Eventually this article helps too: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2130442

Yet not 100% sure, if the operation would be evaluated on its own without those secondary ACL since the operation itself was introduced in April.

Hope this helped from some point of view.