After the installation of this plugin, all existing users are assigned the snc_internal role, and existing access control lists (ACLs) are populated with the role conditions. Due to automation logic or intervention by an instance admin, the snc_internal or snc_external roles may be incorrectly added to an ACL that already contains a more strict role requirement. Since ACL role evaluation will pass for any user containing any role mapped to an ACL, the addition of snc_internal or snc_external may be too broad for the intended purpose of an ACL. This could lead to data leakage if a low privileged user is granted access through the ACL.

For example, it would be unnecessary for both the snc_internal and the admin roles to be mapped to the same ACL within a table. The ACL is meant to grant access to admins, in which case the snc_internal role is a mistake. Or, the ACL is meant to grant access to all snc_internal users which makes the admin role unnecessary. When the Explicit Roles plugin is installed, review the ACLs which contain a role condition for snc_internal or snc_external while also containing a condition for another role. If the roles are able to function for a specific use case, then the finding should be periodically reviewed.