Enforce field-level ACLs on records created from the query string of the Filtered List view UI of a table

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enforce Field-Level ACLs on Records Created from the Query String of the Filtered List View UI of a Table

    This guidance outlines how to enforce field-level Access Control Lists (ACLs) for records created from the Filtered List view UI in ServiceNow. It involves configuring thecom.glide.aclcheckallfilteronnewsystem property to ensure that field-level ACLs are assessed when new records are created using query string parameters.

    Show full answer Show less

    Key Features

    • The com.glide.aclcheckallfilteronnew property, when set to true, ensures that all field-level ACLs are evaluated during record creation from the Filtered List view. This prevents unauthorized modifications to protected fields.
    • Field behavior is influenced by specific dictionary attributes:
      • ignorefilteronnew: The filter value is ignored for this field during record creation.
      • aclcheckfilteronnew: ACLs are checked for this field upon record creation.
      • allowfilteronnew: ACL checks are bypassed for this field during record creation.
    • Domain fields defined by the glide.sys.domain.domaindeterminingfield.{tablename} property are not subjected to ACL checks during creation.

    Key Outcomes

    Setting the com.glide.aclcheckallfilteronnew property to true enhances security by ensuring that users cannot bypass field-level ACLs during record creation. This prevents improper values from being assigned to protected fields when using the Filtered List view, thus maintaining data integrity and compliance with access controls.

    Use a system property to prevent list filters from affecting the initial values of created records.

    Use the com.glide.acl_check_all_filter_on_new system property to ensure field level ACLs are evaluated when query string parameters are applied during the creation of new table records triggered from the UI.

    When a new record is created from the list view UI of a table, the field values included in the filter query string are applied to the new record.

    For example, using this filter:

    author={62826bf03710200044e0bfc8bcbe5df1}^state={3}

    The Author field is assigned the value 62826bf03710200044e0bfc8bcbe5df1 and State is assigned the value 3, regardless of their default value. The com.glide.acl_check_all_filter_on_new property ensures that field level ACLs are evaluated for all fields when a record is created from the filtered list view UI of a table. There are exceptions to this property, which are applied in the following order:

    1. If the ignore_filter_on_new dictionary attribute is set for a field, then the value of that field in a filter query string is never used in record creation from the filtered list view UI of a table.
    2. If the acl_check_filter_on_new dictionary attribute is set for a field, then ACLs must be checked for that field on record creation from the filtered list view UI of a table.
    3. If the allow_filter_on_new dictionary attribute is set for a field, then ACLs aren't checked for that field on record creation from the filtered list view UI of a table.
    4. The sys_domain field and other domain fields specific to a table and defined by the glide.sys.domain.domain_determining_field.{table_name} property aren't checked by ACLs on record creation from the filtered list view UI of a table.
    5. If the com.glide.acl_check_all_filter_on_new system property is set to true, then ACLs must be checked for all other fields on record creation from the filtered list view UI of a table.
    6. If a field's type is listed in the com.glide.ignore_filter_on_new.field_types system property, then ACLs must be checked for that field on record creation from the filtered list view UI of a table.

    Ensure that the com.glide.acl_check_all_filter_on_new system property is set to true.

    More information

    Attribute Description
    Configuration name com.glide.acl_check_all_filter_on_new
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value false
    Fallback value false
    Category Access control
    Security risk
    • Severity score: 4.8
    • CVSS score: Medium
    • Security risk details: When com.glide.acl_check_all_filter_on_new is set to false, then ACLs aren't checked for fields on new record creation from the filtered list view UI of a table, unless one of the other exceptions applies. In such a situation, ACLs can be bypassed by users without create access to fields. This allows protected fields to be set to improper values on record creation through the filtered list view UI of a table.
    Functional impact When com.glide.acl_check_all_filter_on_new is set to true, then ACLs may prevent fields included in the filter query string from affecting the value of fields in a created record when the creation is triggered from the list view UI of a table. However, this previous behavior was incorrect as it bypassed ACLs and allowed user without creation access to a field to modify its value.
    Dependencies and prerequisites None