Loading...
Loading...
On installing "sn_dpm" application, the read ACL of sn_dpm application are getting cached. The user who doesn't have "sn_dpm.dpm_manager" role, the read ACL is getting triggered. on making respective ACL inactive and active again, it will trigger the correct respective read ACL. Steps to Reproduce 1. Create brand new instance of Sandiego 2. Create a testuser, and add snc_internal, itil roles 3. Install sn_dpm and com.glide.explicit.roles plugin 4. With the sn_dpm ( "Digital portfolio Management") plugin, The below read acl will be created with the role "sn_dpm.dpm_manager" role, for respective sn_dpm application https://instancename.service-now.com/sys_security_acl.do?sys_id=0f979f6d775330107190308eec5a9973&sysparm_record_rows=12&sysparm_record_scope=87e5bf72c39220101ad0b0b78640dd60&sysparm_record_target=sys_security_acl&sysparm_record_list=nameSTARTSWITHsc_task%5EORDERBYname&sysparm_nostack=true&sysparm_record_row=5 5. The below are the OOB read acl's of sc_task table, from that make acl's 'inactive' for the below sys_id of acl which have ITIL role 59c915423b6010108ed00d8044efc4ee 7dda24f7c0a801661e313298ad512a7d https://gurusandiego.service-now.com/sys_security_acl_list.do?sysparm_query=nameSTARTSWITHsc_task%5Eoperation%3Dread%5Ename!%3Dsc_task.*%5EORname%3DNULL%5Ename!%3Dsc_task.work_notes%5EORname%3DNULL&sysparm_first_row=1&sysparm_view= 6. Make sure the test user which you created does n't have "sn_dpm.dpm_manager" role. 7. Enable debug security acl log 8. Impersonate as test user which you created 9. Navigate to sc_task table 10. In log you can observe the read acl of sn_dpm application is passed which have the role "sn_dpm.dpm_manager" https://instancename.service-now.com/sys_security_acl.do?sys_id=0f979f6d775330107190308eec5a9973&sysparm_record_rows=12&sysparm_record_scope=87e5bf72c39220101ad0b0b78640dd60&sysparm_record_target=sys_security_acl&sysparm_record_list=nameSTARTSWITHsc_task%5EORDERBYname&sysparm_nostack=true&sysparm_record_row=5 11. But in actual, "sn_dpm.dpm_manager" role does not have with test user, where it should pass the read acl's of snc_internal role 12. Now make sn_dpm application read acl inactive and active again or do cache.do, https://instancename.service-now.com/sys_security_acl.do?sys_id=0f979f6d775330107190308eec5a9973&sysparm_record_rows=12&sysparm_record_scope=87e5bf72c39220101ad0b0b78640dd60&sysparm_record_target=sys_security_acl&sysparm_record_list=nameSTARTSWITHsc_task%5EORDERBYname&sysparm_nostack=true&sysparm_record_row=5 13. Repeat same steps 8,9 14. Now you could observe in the acl log, the correct sc_task read acl is passed with snc_internal role Note: The above table is just an example, once the sn_dpm application is installed, due to read acl of snc_dpm application, the acl's are getting cached, on making respective acl inactive and active again, it will trigger the correct respective acl. https://instancename.service-now.com/sys_security_acl.do?sys_id=0f979f6d775330107190308eec5a9973&sysparm_record_rows=12&sysparm_record_scope=87e5bf72c39220101ad0b0b78640dd60&sysparm_record_target=sys_security_acl&sysparm_record_list=nameSTARTSWITHsc_task%5EORDERBYname&sysparm_nostack=true&sysparm_record_row=5 The same thing is observed with sc_req_item table as well. Expected behaviour: On installing sn_dpm application, the read ACL of sn_dpm application will be created, only the user who have the "sn_dpm.dpm_manager" role, the ACL to be triggered. Actual behaviour: Even though the user who doesn't have "sn_dpm.dpm_manager" role, the ACL is getting triggered. once the sn_dpm application is installed, due to read ACL of sn_dpm application, the ACL's are getting cached, on making respective acl inactive and active again, it will trigger the correct respective ACL. https://instancename.service-now.com/sys_security_acl.do?sys_id=0f979f6d775330107190308eec5a9973&sysparm_record_rows=12&sysparm_record_scope=87e5bf72c39220101ad0b0b78640dd60&sysparm_record_target=sys_security_acl&sysparm_record_list=nameSTARTSWITHsc_task%5EORDERBYname&sysparm_nostack=true&sysparm_record_row=5
This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this article to be notified when more information becomes available.
PRB1589334
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.