Access Analyzer Debug logs

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access Analyzer Debug logs

    The Access Analyzer Debug logs provide essential information regarding the select access result operations within the ServiceNow platform. These logs help users understand the permissions, business rules, and access control lists (ACLs) involved in access evaluations.

    Show full answer Show less

    Key Features

    • Name: Details about the business rule or ACL.
    • Applies to: Information on how the ACL applies at various levels (field, record, table).
    • Status: Current status of the ACL related to the role and permission.
    • Requires ACL: Role necessary for accessing the field, record, or table.
    • Role: Status of the role in relation to Access Control (Blocked, Passed, Skipped).
    • Security Attribute: Status of the security attribute for Access Control.
    • Condition: Status of the condition for Access Control.
    • Script: Indicates the status of the script for Access Control.
    • Customized: Information on any customized ACLs.
    • Application: Status of the application (Global or Store).
    • Evaluation hierarchy: Outlines the order of evaluation for permissions, starting with business rules followed by ACLs.

    Key Outcomes

    Understanding the Access Analyzer Debug logs enables ServiceNow customers to:

    • Quickly identify the specific business rules and ACLs affecting access permissions.
    • Determine the hierarchy of access evaluations, ensuring a clear understanding of how permissions are granted or denied.
    • Utilize the logs to troubleshoot access issues effectively by reviewing the status of roles, conditions, and scripts.

    This systematic approach enhances security and ensures that users can manage access controls more efficiently within their ServiceNow instances.

    Debug logs display the details of the select access result operation.

    Fields in Debug logs

    The Debug logs in the Access Analyzer displays information about the selected operation to understand the permissions, business rules, and ACLs associated with the operation.

    Fields in the Debug log

    Following are the fields and their description in the Debug logs:

    Table 1. Debug logs
    Fields Description
    Name The details about the business rule or ACL. You can select the business rule of ACL for more information.
    Applies to The details about the application of ACL at a field, record, or table level.
    Status Status of the ACL for the associated role and permission.
    Requires ACL The role that is required for accessing the field, record, or table.
    Role The details about the role being Blocked, Passed, Skipped for the Access Control.
    Security Attribute The details about the security attribute being Blocked, Passed, Skipped for the Access Control.
    Condition The detail about the condition being Blocked, Passed, Skipped for the Access Control.
    Script The details about the script being Blocked, Passed, Skipped for the Access Control.
    Customized The details about the customized ACL if any for the Access Control.
    Application Status of the Application. Global or Store.

    Evaluation hierarchy

    Permission for the selected user, group, or role is evaluated in the following hierarchy:

    • Business rule: A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.
    • Access Handler: An internal system check using hidden source code on the platform.
    • Data Filtration: A data filter is a form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filters support only read operation.
    • Access control list (ACL): Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. Within an ACL, the following hierarchy is evaluated:
      • Role
      • Security Attribute
      • Condition
      • Script

    Access control list evaluation

    ACLs for the operations are evaluated in the sequence as follows:

    • Role
    • Security Attribute
    • Condition
    • Script

    Presence of a script

    Alert Icon in any status indicates the presence of a script in the ACL. Review highlighted ACLs to understand the final access.

    Note:
    During an Access analyzer query, business rules are executed first and then the access control list.

    Sequence of execution

    The sequence of access result execution in different scenarios is as follows:

    • Presence of an inherited or wildcard ACL: During the sequence of execution the inherited ACLs are evaluated first and then wildcard ACL.
    • One ACL is passed the others are skipped: During execution and evaluation of permission if one ACL is passed the other ACL execution and evaluation is skipped. Because the overall permission for the selected operation requires one ACL to access a field, record, or table for an identity.
    • Field level ACL and table level ACLs execution: During execution field level ACLs are executed first followed by table level ACL to provide more granular results when analyzing the access for an identity.
    • Evaluation in the presence of scripted ACL: When there’s a presence of a script, the overall access for the operation is passed with an Alert icon to indicate the script in the ACL.