ServiceNow ACLs and Squid
ServiceNow Access Control Lists (ACLs) are a fundamental security mechanism in ServiceNow. However, their behavior creates significant challenges for programmatic data exports. This document explains the issues and Squid's recommended approach.
The Problem with ACLs for Data Export
Silent Failure Mode
When an ACL denies access to a record, ServiceNow silently omits that record from the result set:
- No error message
- No indication of missing data
- No count of denied records
- Partial data returned as if complete
┌─────────────────────────────────────────────────────────────────┐
│ Query: All Servers │
│ Expected: 1000 servers │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ ACL Evaluation │
│ │
│ • 900 servers: ACL grants access ✓ │
│ • 100 servers: ACL denies access (silently omitted) │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Result: 900 servers │
│ (appears complete, but 10% missing) │
└─────────────────────────────────────────────────────────────────┘
Why This is Critical
For interactive UI users, this behavior makes sense - they simply don't see data they can't access. For programmatic data exports, this is dangerous:
Scenario: Network Access Control
A customer exports MAC addresses to their Network Access Control system. If a MAC address isn't registered, network access is denied.
- 1000 ATMs depend on this integration
- ACL blocks 100 ATM records (unknown to integration)
- 100 ATMs lose network access
- Production outage, potential financial loss
The Worst Case
- Best case: 0% of data returned → obvious failure, easily detected
- Worst case: 90% of data returned → partial success, failure undetected until downstream impact
ACL Complexity
ServiceNow deployments commonly have hundreds of ACL rules:
- Table-level ACLs
- Field-level ACLs
- Record-level ACLs (scripts)
- Role-based ACLs
- Condition-based ACLs
Any of these can silently block data. ACL rules may be added or modified by ServiceNow developers without notification to integration owners.
Squid's Position on ACLs
Disable ACLs for Squid integrations.
ACLs introduce unacceptable risk for mission-critical data integrations. Use Squid's built-in security mechanisms instead.
Why We Can't Just Disable ACLs
ServiceNow's application guidelines require scoped applications to respect ACLs by default. This protects customers from applications that might inappropriately access data.
arc46 respects and follows these guidelines. You, the customer, must explicitly authorize Squid to bypass ACLs.
The allowAclOverride System Property
To enable ACL bypass for predefined configurations:
System Property: x_a46gh_squidx.allowAclOverride
Value: true
What This Property Does
| Setting | Predefined Configs | Custom Configs |
|---|---|---|
false (default) | ACLs enforced | Configurable per config |
true | ACLs bypassed | Configurable per config |
How to Set This Property
- Navigate to System Properties in ServiceNow
- Search for
x_a46gh_squidx.allowAclOverride - Set value to
true - Save
Or via script:
gs.setProperty('x_a46gh_squidx.allowAclOverride', 'true');
arc46 cannot and will not offer support unless x_a46gh_squidx.allowAclOverride is set to true.
This is not arbitrary - it's because debugging issues with ACL-affected data is practically impossible. We cannot help you troubleshoot "missing data" when ACLs might be silently blocking records.
When ACLs Might Be Appropriate
We recognize that valid use cases for respecting ACLs exist:
Complex ACL Logic
If you have sophisticated ACL rules that:
- Cannot be easily replicated in view filters
- Are maintained by a dedicated team
- Have well-documented, predictable behavior
Per-Configuration ACL Control
For custom configurations, you can enable ACL enforcement selectively:
Configuration: cmdb_ci_server_with_acls
Use ServiceNow ACLs: ✓ (checked)
This is a per-configuration setting, allowing fine-grained control.
User-Context Exports
If your integration operates on behalf of specific users and should respect their access permissions, ACLs may be appropriate. Be aware of the silent failure implications.
Squid's Alternative Security Mechanisms
Instead of relying on ACLs, Squid provides equivalent security through:
| Security Need | ACL Approach | Squid Approach |
|---|---|---|
| Column access | Field ACLs | Database views |
| Row filtering | Record ACLs | View filters |
| Role requirements | Role-based ACLs | Configuration roles |
| Query restrictions | N/A | Forbidden/restricted operators |
Advantage: Explicit and Predictable
Squid's security is:
- Configured explicitly - You define what's accessible
- Documented - Views and filters are visible
- Predictable - No silent omissions
- Auditable - Clear security posture
Advantage: Fail-Loud
If Squid denies access, it returns an error:
{
"error": {
"message": "You are not authorized to access this configuration.",
"detail": "User lacks required role"
}
}
No silent partial data. Either you get the data or you get an error.
Implementation: How Squid Handles ACLs
Code-Level Implementation
function getGlideRecord(table: string, ignoreAclsOverride?: boolean): GlideRecord {
const ignoreAcls = /* determine based on config and system property */;
return ignoreAcls ? new GlideRecord(table) : new GlideRecordSecure(table);
}
function getGlideQuery(table: string, ignoreAclsOverride?: boolean): global.GlideQuery {
const ignoreAcls = /* determine based on config and system property */;
const glideQuery = new global.GlideQuery(table);
return ignoreAcls ? glideQuery : glideQuery.withAcls();
}
GlideRecord/GlideQuery- Bypasses ACLsGlideRecordSecure/GlideQuery.withAcls()- Enforces ACLs
Warning Messages
When ACLs are enforced on predefined configurations (not recommended), Squid includes warnings in the response:
{
"metadata": {
"warnings": [
"ACLs are being enforced for this configuration. Data may be silently omitted. Set x_a46gh_squidx.allowAclOverride to 'true' to disable ACLs."
]
}
}
Decision Framework
Use this framework to decide on ACL handling:
┌─────────────────────────────────────────────────────────────────┐
│ Is this a mission-critical integration? │
│ (Data completeness is essential) │
│ │
│ YES → Disable ACLs, use Squid security mechanisms │
│ NO → Continue evaluation │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Can missing data be detected downstream? │
│ (Validation checks, reconciliation processes) │
│ │
│ YES → ACLs may be acceptable with monitoring │
│ NO → Disable ACLs, silent failures are unacceptable │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Can you replicate ACL logic in view filters? │
│ │
│ YES → Use view filters (explicit, documented) │
│ NO → Consider ACLs with careful monitoring │
└─────────────────────────────────────────────────────────────────┘
Summary
| Recommendation | Implementation |
|---|---|
Set allowAclOverride to true | System property |
| Use view-based column security | Database view design |
| Use view filters for row security | Configuration setting |
| Use role-based config access | Configuration roles |
| Enable per-config ACLs only when necessary | Custom configuration setting |
Related Topics
- Data Access Controls - Squid's alternative to ACLs
- Best Practices - Security configuration recommendations
- Authorization - Role-based access control