Access Analyzer Debug logs

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access Analyzer Debug logs

    Access Analyzer Debug logs in ServiceNow provide detailed insights into access control operations, helping customers understand how permissions, business rules, and ACLs (Access Control Lists) affect access to fields, records, or tables. These logs are essential for analyzing and troubleshooting access permissions within the platform.

    Show full answer Show less

    Key Features

    • Detailed Field Information: Logs include fields such as Name (business rule or ACL details), Applies to (level of ACL application), Status (ACL status for roles and permissions), Requires ACL (required role for access), and Role, Security Attribute, Condition, Script statuses (Blocked, Passed, Skipped).
    • Evaluation Hierarchy: Access permissions are evaluated in a defined sequence starting from business rules, followed by Access Handler (internal system checks), Data Filtration (read-only filters), and then ACL rules. Within ACLs, evaluation follows Role, Security Attribute, Condition, and Script order.
    • Execution Sequence: In scenarios with inherited or wildcard ACLs, inherited ACLs are evaluated first. If one ACL passes, others are skipped since only one ACL needs to grant access. Field-level ACLs execute before table-level ACLs to provide granular access analysis.
    • Scripted ACL Indication: An alert icon in the logs highlights the presence of scripts within ACLs, alerting users to review these for final access decisions. During queries, business rules execute before ACLs.

    Practical Use for ServiceNow Customers

    By leveraging Access Analyzer Debug logs, administrators and developers can:

    • Identify exactly which business rules, ACLs, roles, or scripts are impacting access decisions for users.
    • Understand the evaluation and execution order to better troubleshoot permission issues.
    • Detect and review any scripted ACLs that influence access, ensuring security compliance.
    • Gain granular insights by analyzing both field-level and table-level ACLs to fine-tune permissions.

    This enables more effective security management and troubleshooting of access permissions within ServiceNow instances.

    Debug logs display the details of the select access result operation.

    Fields in Debug logs

    The Debug logs in the Access Analyzer displays information about the selected operation to understand the permissions, business rules, and ACLs associated with the operation.

    Fields in the Debug log

    Following are the fields and their description in the Debug logs:

    Table 1. Debug logs
    Fields Description
    Name The details about the business rule or ACL. You can select the business rule of ACL for more information.
    Applies to The details about the application of ACL at a field, record, or table level.
    Status Status of the ACL for the associated role and permission.
    Requires ACL The role that is required for accessing the field, record, or table.
    Role The details about the role being Blocked, Passed, Skipped for the Access Control.
    Security Attribute The details about the security attribute being Blocked, Passed, Skipped for the Access Control.
    Condition The detail about the condition being Blocked, Passed, Skipped for the Access Control.
    Script The details about the script being Blocked, Passed, Skipped for the Access Control.
    Customized The details about the customized ACL if any for the Access Control.
    Application Status of the Application. Global or Store.

    Evaluation hierarchy

    Permission for the selected user, group, or role is evaluated in the following hierarchy:

    • Business rule: A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.
    • Access Handler: An internal system check using hidden source code on the platform.
    • Data Filtration: A data filter is a form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filters support only read operation.
    • Access control list (ACL): Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. Within an ACL, the following hierarchy is evaluated:
      • Role
      • Security Attribute
      • Condition
      • Script

    Access control list evaluation

    ACLs for the operations are evaluated in the sequence as follows:

    • Role
    • Security Attribute
    • Condition
    • Script

    Presence of a script

    Alert Icon in any status indicates the presence of a script in the ACL. Review highlighted ACLs to understand the final access.

    Note:
    During an Access analyzer query, business rules are executed first and then the access control list.

    Sequence of execution

    The sequence of access result execution in different scenarios is as follows:

    • Presence of an inherited or wildcard ACL: During the sequence of execution the inherited ACLs are evaluated first and then wildcard ACL.
    • One ACL is passed the others are skipped: During execution and evaluation of permission if one ACL is passed the other ACL execution and evaluation is skipped. Because the overall permission for the selected operation requires one ACL to access a field, record, or table for an identity.
    • Field level ACL and table level ACLs execution: During execution field level ACLs are executed first followed by table level ACL to provide more granular results when analyzing the access for an identity.
    • Evaluation in the presence of scripted ACL: When there’s a presence of a script, the overall access for the operation is passed with an Alert icon to indicate the script in the ACL.