Enforce Query ACLs for SubLists, List Counts and Widget Data Tables

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Enforce query ACLs on sublist, list count, and widget data table queries using system properties.

    Set com.glide.security.query_acl.enabled.sub_lists to true to enforce query ACLs on sublist queries, such as grouped lists and related lists.

    Set com.glide.security.query_acl.enabled.list_count to true to enforce query ACLs on list count queries.

    Set glide.security.query_acl.enabled.data_table to true to enforce query ACLs on widget data tables.

    If any of these system properties are set to false, an attacker can use blind queries to enumerate and exfiltrate data due to the default behavior of GlideRecord.addEncodedQuery. If these properties don't exist in the System Properties [sys_properties] table, the secure default of true is used. A third option, external_and_guests, enforces ACLs only for external users and guests.

    Ensure these system properties do not appear in the System Properties [sys_properties] table or are set to true.

    More information

    Attribute Description
    Configuration name
    • com.glide.security.query_acl.enabled.sub_lists
    • com.glide.security.query_acl.enabled.list_count
    • glide.security.query_acl.enabled.data_table
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value
    • true
    • true
    • true
    Default value
    • true
    • true
    • true
    Fallback value
    • true
    • true
    • true
    Category Architecture, design, and threat modeling
    Security risk
    • Severity score: 5.3
    • CVSS score: Medium
    • Security Risk: ACLs can be bypassed disclosing field data to users who do not have permissions to see it. This could include sensitive data depending on the table exploited.
    Dependencies and prerequisites None