logo

NJP

← Back to News

🚨 Stop Using Before Query Business Rules as a Security Shortcut in ServiceNow

New article articles in ServiceNow Community · Jul 03, 2025 · article

Let’s talk about something that’s often misunderstood — and misused — in the ServiceNow platform:

Before Query Business Rules (BQBRs)

At first glance, they seem like a great way to control who sees what. You just add a filter at the query level, and problem solved… right?

Not exactly. In fact, this approach can open up serious security loopholes.

🔍 What Are Before Query Business Rules?

Before Query Business Rules run before a database query is executed. Their main job is to modify the query and narrow down what records are returned.

They’re commonly triggered in:

  • List views
  • Global searches
  • Reference field lookups

So yes — they do control data visibility. But here's the catch:

❌ They're Not Meant for Security

Let’s be very clear:

Before Query Rules are not a replacement for Access Controls (ACLs).

Why? Because they only apply in specific UI scenarios. A user might be restricted in one area, but gain access through another — like dot-walking or reports.

🧪 A Real Example: How Things Can Go Wrong

Imagine this:

Use Case:

Your organization wants to prevent non-admins from seeing inactive users. Instead of setting up ACLs, a developer creates a BQBR that filters out inactive records from sys_user.

Seems fine. But then…

What happens?

  • A non-admin opens a report on incidents (which they’re allowed to see).
  • The report includes a dot-walked field like caller.active.
  • The system follows the reference and pulls in inactive user records.

And just like that — the filter is bypassed. The user sees data they shouldn’t.

⚠️ This Is Why It’s Dangerous

Before Query Rules don’t run in all contexts. They don’t apply:

  • Inside reports
  • Through scripts (e.g. GlideRecord)
  • When dot-walking in certain UI components

If you're relying on BQBRs for security, you're leaving gaps. Big ones.

✅ So… When Can You Use Them?

They’re not all bad — just often misused. Here’s when they can help:

  • ✅ Improve user experience by hiding irrelevant records
  • ✅ Speed up dropdowns or list views for performance
  • ✅ Reduce “security constraints prevent access” errors

But only after your ACLs are properly defined.

🔐 The Right Way to Handle Security

Always, always start with:

  • 🔒 ACLs (Access Control Rules)
  • 👥 Role-based access
  • ⚙️ Data policies and conditions

Use BQBRs as a supporting tool, not the foundation. Think of them as UX helpers — not gatekeepers.

Thanks & Regards,

Subham Kumar Shaw

ServiceNow Architect/Consultant

ServiceNow Community Rising Star ' 2022/2023/2024

View original source

https://www.servicenow.com/community/developer-blog/stop-using-before-query-business-rules-as-a-security-shortcut-in/ba-p/3309171