Access Control Debugging - Inconsistent Behavior

GeoffreyOptumOp
Tera Expert

I wanted to better understand Access Controls and what happens when various conditions are Not satisfied...

I created a brand new table called "plant" (u_plant), and created some records.  Then I turned on debugging and tried accessing the table by impersonating a user who does NOT have the u_plant_user role.  As expected, the user is unable to see any of the records in the table, and a message is displayed which says "Security constraints prevent access to the requested page", as you can see below.

But I am getting EXTREMELY inconsistent behavior in the Access Control messages which are displayed.  There seem to be at least 4 different behaviors:

1)  I get just a few Access Control messages displayed at the bottom of the page, and I see the one I expect, with a red X next to it, that says "ui_page/u_plant_list/read".  This is great, but happens only RARELY, and I can't figure out when.

2)  I get the expected message, as you can see in the screenshot below, but the Access Control PASSED, and is green, even though no records are displayed and the "Security constraints" message is displayed at the top of the page.

3)  I get many Access Control messages, including some from tables I don't even expect to see, and I can't find the message I'm looking for at all.

4)  I get a HUGE number of Access Control messages, like 50 pages worth, and again, I still do not see the message I expect.

find_real_file.png

So I guess my question is...  What can I do to get much more consistent behavior when debugging Access Controls?  And have others run into this?  Thanks!!

3 REPLIES 3

Craig Gruwell
Mega Sage

If you click on the blue link, it takes you the OOB ui_page read ACL that grants all internal users to access the UI Pages without any restriction.  So all this is saying so far is you have access to the ui_page that lists all the records of the table but there are more ACL checks to occur, specifically table ACLs and field ACLs.

In your instance, what is the value configured for the system property "glide.sm.default_mode"?

Do you have and ACLs defined for u_plant?

 

The value is "deny":

find_real_file.png

 

Yes, I have the Access Controls which were created by default when I created the table:

find_real_file.png

GeoffreyOptumOp
Tera Expert

Update 02/28/2022.  I entered a support case for this issue, the inconsistent behavior of the security debug messages appearing at the bottom of the form, and a ServiceNow technician was able to reproduce the issue.  It's currently sitting in the Developer's queue for someone to look at, but they have not yet created a Problem record.  Thanks all...