Access Control Issue with Service Catalog Visibility in ServiceNow

pavan_bolle
Tera Contributor

I am using the ServiceNow dev instance `devXXXXXX.service-now.com`. While investigating access controls, I observed a potential data leak or unexpected behavior.

 

When logged in as an Admin user, I can search and view all available catalogs. However, when logged in with the "ML Report Role" or "Business Stakeholder Role," I cannot navigate to the Service Catalog items through the UI.

 

Interestingly, when I copy and paste a Service Catalog item URL directly (from an Admin user session) into the browser of a user with either the "ML Report Role" or "Business Stakeholder Role," I can view the content, even though the items are not accessible through navigation.

 

My questions are:

1. Is this expected behavior?

   - If so, why is the navigation not available to users with the "ML Report Role" or "Business Stakeholder Role"?

2. If it’s not expected, does this behavior indicate a security vulnerability?

 

Thank you for your help and prompt response!

1 ACCEPTED SOLUTION
1 REPLY 1