Prevent Empty ACL Creation

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Set the glide.security.empty_acl.popup_window.enabled property to the secure value of true to block attempts to create, update, or save an invalid ACL. This setting will also provide a client-side model to configure a role or security attribute for the ACL.

    The glide.security.empty_acl.popup_window.enabled property controls whether users making form-based edits to ACL [sys_security_acl] records can create, update, or save an invalid ACL that has an invalid data condition, script, security attribute, or roles list, or otherwise does not have any configured (an "empty ACL"). As of the Xanadu release, an empty ACL will completely deny access. On versions prior to Xanadu, empty an ACL will allow unconditional access.

    When the glide.security.empty_acl.popup_window.enabled property is set to a secure value of true, attempts to create, update, or save an invalid or empty ACL will be blocked, and a client-side model will be provided to configure a role or security attribute for the ACL. If the property is insecurely set to any other value, then such attempts will be allowed and no client-side model will be displayed.

    Important:
    This property is case sensitive. A value of "True" (capital "T") will be equivalent to false. Additionally, this property will only function when the High Security (com.glide.high_security) plugin is installed and active.

    Ensure the that the glide.security.empty_acl.popup_window.enabled property is set to true and ensure that the High Security (com.glide.high_security) plugin is active.

    More information

    Attribute Description
    Configuration name glide.security.empty_acl.popup_window.enabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type string
    Recommended value true
    Default value true
    Fallback value
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 6.5
    • CVSS score: Medium
    • Security risk details: Misconfigured or empty Access Control Lists (ACLs) can unintentionally grant unrestricted access to sensitive data and system functionality. When ACLs lack proper conditions, roles, or security attributes, they fail to enforce authorization boundaries, enabling attackers or unauthorized users to bypass security controls. This can lead to data breaches, privilege escalation, and compromise of confidentiality, integrity, and availability across the platform.
    Dependencies and prerequisites None
    Functional impact This property allows the user to toggle the empty ACL warning popup on and off.
    References Prevent Empty ACL Creation