Report execution security
When a report is run, report_view access control lists (ACLs) are evaluated on the table and table fields that the report is based on. If no report_view ACL exists, there is a fallback check on table-level read ACL roles.
The fallback read ACL is controlled by the system property glide.report.report_view.read_acl.
This property has three possible values. The default value is enforce.
- ignore
- No evaluation is conducted against the read ACL and all users can see the report.
- enforce
- If no report_view ACL for that table or table field exists, evaluation is conducted against the read ACL. Users can only view the report if they pass the read ACL.
- log
- The read ACL check isn’t enforced if there is no report_view ACL for that table or table field, but the administrator can see in the logs which users would have been blocked if the security check was enforced.
it isn’t recommended to change the system property to ignore or log as the read ACL fallback provides an extra level of protection when viewing a report.
Note:
The fallback table-level read ACL check applies only to roles, not to scripts or conditions. If a table-level read ACL has roles and scripts or roles and conditions, or roles, scripts, and conditions, only the roles are evaluated.
