- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2023 07:54 AM
Any idea how to find ACLs that have no roles associated?
In list view on sys_security_acl you can easily filter for Condition = empty and script = empty.
Role however is more like a related list, and I can't report on this table in the reporting module.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2023 07:25 PM
I used this:
instanceName.service-now.com/sys_security_acl_list.do?sysparm_query=script%3DNULL%5EconditionISEMPTY%5ERLQUERYsys_security_acl_role.sys_security_acl%2C%3D00%2Cm2m%5EENDRLQUERY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2023 08:01 AM
Hi @Johnathan R ,
Maybe add this table to the property glide.ui.permitted_tables ?
My 2 cents for progress on this topic 😉
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2023 07:14 PM - edited 10-18-2023 07:15 PM
You would likely have to build a database view to see in reports. So, what I did was write a script that you can run as a background script. It will take a while, depending on the size of your instance. We are mostly OOTB regarding ACLs, and luckily, my results came back with nothing interesting.
Also I added a PR to https://github.com/bsysop/servicenow with some additions that might help you scan your instances for either the widget being public AND if it is actually leaking data because of a ACL. Credit to bsysop for starting the repo.
Give me a thumbs up if this helped you, thanks!
// Create a GlideRecord query for sys_security_acl
var aclGr = new GlideRecord('sys_security_acl');
aclGr.addNullQuery('script'); // ACLs without a script
aclGr.addNullQuery('condition'); // ACLs without a condition
aclGr.query();
// Create an empty array to store ACLs without assigned roles
var aclsWithoutRoles = [];
// Iterate through ACL records
while (aclGr.next()) {
// Check if the ACL has no assigned roles
var roleGr = new GlideRecord('sys_security_acl_role');
roleGr.addQuery('sys_security_acl', aclGr.getUniqueValue());
roleGr.query();
if (!roleGr.hasNext()) {
// ACL has no assigned roles, add it to the array
aclsWithoutRoles.push(aclGr);
}
}
// Print ACLs without script, conditions, and assigned roles
for (var i = 0; i < aclsWithoutRoles.length; i++) {
gs.info('ACL Name: ' + aclsWithoutRoles[i].name);
gs.info('ACL sys_id: ' + aclsWithoutRoles[i].sys_id);
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2023 07:25 PM
I used this:
instanceName.service-now.com/sys_security_acl_list.do?sysparm_query=script%3DNULL%5EconditionISEMPTY%5ERLQUERYsys_security_acl_role.sys_security_acl%2C%3D00%2Cm2m%5EENDRLQUERY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2023 08:21 AM
Can you explain what the related list condition is doing?
