ACL troubleshooting reference
Summarize
Summary of ACL Troubleshooting Reference
ACL troubleshooting focuses on identifying errors in Access Control List (ACL) rules and utilizing debugging tools to resolve ACL-related issues. The Access Analyzer is a key diagnostic tool that provides administrators with visibility into user permissions, allowing them to manage access control effectively and uphold least-privilege access principles.
Show less
Key Features
- Access Analyzer: This tool helps view permissions for specific users, roles, or groups, enabling identification of overly permissive settings.
- Enable Debugging: Activating debugging assists in troubleshooting by showing which ACL rules are evaluated during access attempts.
Key Outcomes
Through effective debugging and the use of the Access Analyzer, customers can:
- Resolve access issues with custom tables by creating appropriate ACL rules.
- Identify precedence conflicts with custom ACL rules or user permissions.
- Diagnose issues with field visibility in lists versus forms and adjust ACL conditions accordingly.
- Address errors in processor or client-callable script includes by verifying user access against relevant ACL rules.
By following these guidelines, ServiceNow customers can maintain secure and efficient access control within their systems.
ACL troubleshooting includes identifying ACL rule errors and use the debugging tools to fix the ACL related problems.
Access analyzer
Access analyzer helps the administrators to view permissions for the selected user, role, or group. It is a diagnostic security tool that provides comprehensive visibility into resource permissions and access controls at the Access Control List (ACL) level, enabling you to understand who has access to their resources, identify overly permissive configurations, and maintain least-privilege access principles. To learn more about how to use the tool, see Access Analyzer.
Enable debugging
Enable debugging to help troubleshoot an issue.
| Error or symptom | Solution |
|---|---|
| You cannot access records from a custom table. | Create a table ACL rule for the custom table granting users access to the table. Without an explicit table ACL rule, users must pass the permissions in the table wildcard (*) ACL rule, which by default restricts access to administrators only. Enable debugging and determine what ACL rules are evaluated for the custom table. |
| You create a custom ACL rule that does not work properly. | The most likely problems are that another rule takes precedence over your custom rule in the processing order or that the user does not meet all the permission requirements for the object type. Enable debugging and verify that the ACL rule is being evaluated. |
| Your field ACL rule does not work properly. | There is likely a table ACL rule that the user has not met. Enable debugging and determine what ACL rules are evaluated for the field. Verify that there is not a conflicting table ACL rule or duplicate field ACL rule. |
| Your table ACL rule does not work properly. | There is either an ACL rule higher in the processing order or a duplicate table ACL rule interfering with the table ACL rule. Enable debugging and determine what ACL rules are evaluated for the table. |
| You can see a field in a list but not in form. | It is possible that the ACL rule conditions or script are being triggered in the list but not in the form. Enable debugging and determine when the ACL rules evaluate to true. Update the conditions or script to have the same behavior on the list and form. |
| You receive an error message when trying to execute a processor or client-callable script include. | There is an ACL rule for the processor or client-callable script include that the user has not met. If the user should have access to the object, enable debugging and determine what ACL rules are evaluated for the processor or script include. Update the ACL rule or the user roles as needed to access the object. |