“My ACL requires a given role. A user has that role, but is still failing the access check. The ACL debugger says that the ACL script is what’s failing, but my ACL is not “Advanced” and there’s no script field! What is going on??”
Even when the "Advanced" checkbox is unchecked on your ACLs or Business Rules, the code in the "Script" field is still executing and it is still impacting the behavior of the ACL/BR (and impacting system performance and security)!
In this article, we’ll discuss an issue with “Advanced” ACLs and Business Rules (or non-advanced ones that behave as though they’re advanced/scripted).
This confounding behavior can very often lead to odd, unexpected, and nearly-impossible-to-troubleshoot behavior in the ServiceNow platform.
At the bottom of the article, you’ll find a free tool to solve these problems, and provide a better experience for developers and administrators in your instance!
Imagine you start creating an ACL (or a Business Rule for that matter). You begin by checking the Advanced checkbox, and writing some code to check if certain conditions are met. If so, your code then checks if the user has some specific role.
Before you even finish writing your script, let alone optimizing it, you smack your forehead and realize that you can just use the condition builder and a simple role-check for this ACL. No script necessary!
So, you set the condition field, add a role to the ACL, and un-check the Advanced checkbox.
The “Script” field disappears from the form, and you’re back to looking at a simple ACL, configured exactly as you wanted it.
All done, right?
Bad news, chum. Un-checking that checkbox did precisely nothing, aside from hiding the Script field. That script is still going to execute every time your ACL is triggered! This can have massive, detrimental impact on system stability, security, and performance…
Read more