“My ACL requires a given role. A user has that role, but is still failing the access check. The ACL debugger says that the ACL script is what’s failing, but my ACL is not “Advanced” and there’s no script field! What is going on??”

In this article, we’ll discuss an issue with “Advanced” ACLs and Business Rules (or non-advanced ones that behave as though they’re advanced/scripted).
This confounding behavior can very often lead to odd, unexpected, and nearly-impossible-to-troubleshoot behavior in the ServiceNow platform.

At the bottom of the article, you’ll find a free tool to solve these problems, and provide a better experience for developers and administrators in your instance!

If you enjoy this article, don’t forget to subscribe to SN Pro Tips to get more neat stuff in your inbox!
If you want to learn more about ServiceNow development, administration, and architecture tips, tricks, and best-practices, consider checking out my book: The ServiceNow Development Handbook!

The Problem

Imagine you start creating an ACL (or a Business Rule for that matter). You begin by checking the Advanced checkbox, and writing some code to check if certain conditions are met. If so, your code then checks if the user has some specific role.

Before you even finish writing your script, let alone optimizing it, you smack your forehead and realize that you can just use the condition builder and a simple role-check for this ACL. No script necessary!
So, you set the condition field, add a role to the ACL, and un-check the Advanced checkbox.
The “Script” field disappears from the form, and you’re back to looking at a simple ACL, configured exactly as you wanted it.
All done, right?

Bad news, chum. Un-checking that checkbox did precisely nothing, aside from hiding the Script field. That script is still going to execute every time your ACL is triggered!

It’s true. The Script in your ACL or Business Rule will still run — errors and all — even when the Advanced checkbox is un-checked!

But that’s not all… In my relatively out-of-box PDI, there are 54 OOB ACLs with the “Advanced” checkbox un-checked, but which still contain scripts.
54 ACLs which have hidden code executing in the background every time they run.
54 ACLs that will be damn-near impossible to troubleshoot unless you just happen to know this little nugget of info, and specifically check for it.

It’s Worse for Business Rules

The same issue applies to Business Rules in ServiceNow, but more-so.
If you have a Business Rule with some code in the Script field and/or the “Delete” or “Query” operation checkboxes checked, and you set the Advanced field to false, it will hide the script field… but then, if you save the BR, it will re-enable the Advanced field (and those checkboxes and script will still apply) without even telling you!

On one hand, you might consider this a good thing. The next time you load that BR, you’ll be able to at least see the Script field to troubleshoot it.
On the other hand, the fact that it doesn’t even inform you that this is happening, is… frustrating, to say the least. This can certainly lead to all manner of unexpected behavior, performance impacts, and security concerns, just like the issue with ACLs can.

The Solution

"Okay Tim", you reply. "If you're so smart, then what's the solution?"

First of all, thank you for acknowledging that I'm brilliant and handsome.

"I didn't say you were--"

Anyway - one option is to make sure that you (and all other developers in your environment) always remove any scripts in the Script field of any BRs or ACLs before un-checking the “Advanced” checkbox.
I, however, am an idiot, and will very likely forget to do that. I certainly wouldn’t rely on everyone else - even junior devs - to know this, and remember it every time they interact with a BR or ACL.

So - I’ve written a little tool that’ll sort all of this out for you.
It has the following features:

• When the “Advanced” checkbox is un-checked on an ACL or BR, if any code exists that is not commented out in the script field, it adds special comments to the script field that preserve the original script’s value, but prevent it from executing. A notification is shown, indicating that this was done.

• When the “Advanced” checkbox is checked on an ACL or BR, if there is code in the Script field which was previously commented out (using those special comments mentioned above), then the code is un-commented so that the original functionality is restored.
  A notification is shown, indicating that this was done.
  This prevents “hidden code” from executing without your knowledge, making it extremely difficult to troubleshoot performance, security, or logic bugs; not to mention the potential security risks that would arise if code is running as part of your ACL that you don’t expect!

• When the “Advanced” checkbox is un-checked on a Business Rule, if the “Delete” or “Query” checkboxes were checked before the update, they will be un-checked, and a field message will be shown indicating that this was done.
  (If this is not done, then saving the Business Rule after un-checking “Advanced” will not disable the Delete or Query operations. Instead, when the form reloads, Delete and/or Query (along with Advanced) will all be re-checked without even notifying you!)

• When a Business Rule or ACL is loaded where the “Advanced” checkbox is un-checked, but a script containing code (that isn’t commented out) is already present (such as if it existed before this tool was installed), an error message is shown at the top of the form to indicate that this is the case.
  This should help with troubleshooting issues that result from this confounding platform behavior (which ServiceNow refuses to acknowledge as a platform bug, and therefore isn’t likely to fix).

Download

Download the Advanced ACL and Business Rule Helper tool as an Update Set by clicking the link above.
All you have to do is install the Update Set from the downloaded XML file, and you’re good to go!

You can see all the Client Scripts in this tool before downloading it if you like, in this public Gist.