Access Analyzer Debug logs

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Access Analyzer Debug logs

    Access Analyzer Debug logs provide detailed insights into the select access result operations within the ServiceNow platform. These logs help customers understand how permissions, business rules, and Access Control Lists (ACLs) influence access to fields, records, or tables.

    Show full answer Show less

    Key Features

    • Debug Log Fields: The logs include detailed fields such as Name (business rule or ACL details), Applies to (scope of ACL application), Status (ACL status for roles and permissions), Requires ACL (roles needed for access), Role, Security Attribute, Condition, Script, Customized ACL details, Application status, and Global or Store context.
    • Evaluation Hierarchy: Access permissions are evaluated in this order:
      • Business Rule: Server-side scripts triggered on record or table operations.
      • Access Handler: Internal system checks.
      • Data Filtration: Read-only filters complementing ACLs.
      • Access Control List (ACL): Access restrictions based on roles, security attributes, conditions, and scripts.
    • ACL Evaluation Sequence: Within ACLs, the evaluation order is Role, Security Attribute, Condition, then Script.
    • Script Alerts: An alert icon highlights the presence of scripts in ACLs, signaling the need for closer review to understand final access outcomes.

    Key Outcomes

    • Execution Sequence: Business rules execute first, followed by ACL evaluation.
    • Inherited and Wildcard ACLs: Inherited ACLs are evaluated before wildcard ACLs.
    • ACL Pass Behavior: Once one ACL passes, subsequent ACL evaluations are skipped, as only one ACL needs to grant access for the operation.
    • Field vs Table ACLs: Field-level ACLs execute before table-level ACLs, enabling granular access analysis.
    • Scripted ACLs: Presence of a script causes the overall access to be marked as passed with an alert icon, emphasizing the need to review scripted ACLs carefully.

    ServiceNow customers can leverage Access Analyzer Debug logs to precisely diagnose and understand access permissions and restrictions, aiding in effective security and compliance management.

    Debug logs display the details of the select access result operation.

    Fields in Debug logs

    The Debug logs in the Access Analyzer displays information about the selected operation to understand the permissions, business rules, and ACLs associated with the operation.

    Fields in the Debug log

    Following are the fields and their description in the Debug logs:

    Table 1. Debug logs
    Fields Description
    Name The details about the business rule or ACL. You can select the business rule of ACL for more information.
    Applies to The details about the application of ACL at a field, record, or table level.
    Status Status of the ACL for the associated role and permission.
    Requires ACL The role that is required for accessing the field, record, or table.
    Role The details about the role being Blocked, Passed, Skipped for the Access Control.
    Security Attribute The details about the security attribute being Blocked, Passed, Skipped for the Access Control.
    Condition The detail about the condition being Blocked, Passed, Skipped for the Access Control.
    Script The details about the script being Blocked, Passed, Skipped for the Access Control.
    Customized The details about the customized ACL if any for the Access Control.
    Application Status of the Application. Global or Store.

    Evaluation hierarchy

    Permission for the selected user, group, or role is evaluated in the following hierarchy:

    • Business rule: A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.
    • Access Handler: An internal system check using hidden source code on the platform.
    • Data Filtration: A data filter is a form of access control designed to work along with the existing Access Control rules (ACLs) on your instance. Data filters support only read operation.
    • Access control list (ACL): Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. Within an ACL, the following hierarchy is evaluated:
      • Role
      • Security Attribute
      • Condition
      • Script

    Access control list evaluation

    ACLs for the operations are evaluated in the sequence as follows:

    • Role
    • Security Attribute
    • Condition
    • Script

    Presence of a script

    Alert Icon in any status indicates the presence of a script in the ACL. Review highlighted ACLs to understand the final access.

    Note:
    During an Access analyzer query, business rules are executed first and then the access control list.

    Sequence of execution

    The sequence of access result execution in different scenarios is as follows:

    • Presence of an inherited or wildcard ACL: During the sequence of execution the inherited ACLs are evaluated first and then wildcard ACL.
    • One ACL is passed the others are skipped: During execution and evaluation of permission if one ACL is passed the other ACL execution and evaluation is skipped. Because the overall permission for the selected operation requires one ACL to access a field, record, or table for an identity.
    • Field level ACL and table level ACLs execution: During execution field level ACLs are executed first followed by table level ACL to provide more granular results when analyzing the access for an identity.
    • Evaluation in the presence of scripted ACL: When there’s a presence of a script, the overall access for the operation is passed with an Alert icon to indicate the script in the ACL.