<?xml version="1.0" encoding="utf-8" ?>

<j:jelly trim="false" xmlns:j="jelly:core" xmlns:g="glide" xmlns:j2="null" xmlns:g2="null">

<g:evaluate var="jvar_asc_client_list">

  var gr = new GlideRecordSecure ('table');

  var tableData = "<td>";

  gr.addQuery ('active', true);

  gr.addQuery ('reference.sys_id', reference);

  gr.addQuery ('another field', true);

  gr.query();

  while (gr.next())

  {

  tableData += "<tr>" + gr.name + "</tr>";

  }

  tableData += "</td>";

  tableData;

</g:evaluate>

<g:no_escape>${jvar_asc_client_list}</g:no_escape>

</j:jelly>

Note that I changed some of the fields as the data in question is confidential.

Thanks

Check that series of queries (ah, poetry.) You shouldn't need to dot walk to a sys_id (especially in the field name) as a reference field is already a sys_id.

The fact that it shows the right fields to the elevated user indicates the queries should be working. If it's an ACL issue, turn on security debugging (System Diagnostics> Debug Security) and then test your macro to see if you can isolate which ACLs may be causing the issue.

The problem is that the restricted user has role A.   The enhanced user has roles B, C, and D.   The table already deals with ASCs for roles B, C, and D.

Obviously the fix would be to use an ACL to role A to open it up to the table.   But that has not worked.

For some reason, ACL logging is not working on the restricted user.

Just to double check, you enabled debugging then impersonated the user, right? If you logging out and logging back in, that disables/turns off debugging. It remains persistent through an impersonation.