Debugging Access Controls servicenow

Debugging Access Controls

To enable Access Control debugging, use the Application Navigator in the main ServiceNow browser window (not Studio) to open System Security > Debugging > Debug Security Rules. The Debug Security Rules module runs a script that enables writing all Access Control debugging information to the bottom of each page in the content frame.
Only admin users have access to the Debug Security Rules module. In most cases, Access Controls need to be debugged for users other than the admin user. After enabling Debug Security Rules as an admin user, impersonate a user to test their access.
In this example, Beth Anglin is denied access to Field 3 on Table in the Generic application:
Beth is denied access to Field 3
The first row states the overall evaluation of the Access Control: Grant or Deny. The Access Control is a read Access Control for Field 3.
The second row shows the evaluation of the table-level Access Control followed by the field-level Access Control. In this case both the table-level and field-level Access Controls are shown to make it clear which Access Control denied access.
The debugging information is shown in order of evaluation:
Order of evaluation
It is important to examine both the color code and the symbols.
  • Green: Access granted
  • Red: Access denied
  • Blue: The rule did not have to be re-evaluated because the result is already in the cache
  • Gray: Not evaluated, typically because part of the rule has already denied access
  • Check mark: Passed
  • X: Failed
The system-level access check is not part of an Access Control. It runs before Access Controls are evaluated and looks for system/runtime reasons why a user should or should not be granted access. For example, Delegated Development grants developers permission to create only certain types of application files. Fred might be able to create Business Rules but Beth cannot. Permission to create application files in a Delegated Development environment is not controlled by Access Controls and is determined at runtime by a system-level access check.
Look again at the Field 3 Access Control for Beth. Her access to Field 3 was denied by the role on the field-level Access Control even though the table-level Access Control granted access. The condition and script on the field-level Access Control were not evaluated because the role denied access.
Beth is denied access to Field 3
To disable Access Control debugging use the Application Navigator in the main ServiceNow browser window to open System Security > Debugging > Stop Debugging. If you have impersonated a user, impersonate the System Administrator to disable Access Controls.
DEVELOPER TIP: The Admin overrides option in Access Control configuration grants access to the admin user even if the admin user doesn’t meet the requirements of the Access Control. Use caution when testing Access Controls as the admin user as it may not be indicative of the Access Control’s behavior.

Debug a Single Field’s Access Controls

To debug the Access Controls for a single field rather than the entire content frame, with Debug Security Rules enabled, open the table’s form.
A Debug icon (Debug icon) appears next to each field. Hover over the Debug icon to see how many Access Control messages there are for the field. Click the Debug icon to see the Access Controls for that field. This strategy, obviously, cannot be used to debug fields that are hidden by Access Controls.
Single field Access Controls