logo

NJP

← Back to News

Your ACLs and Business Rules are Broken (Here's How to Fix Them)

ServiceNow Developer Pro-Tips · Apr 28, 2023 · article
Tim Woodruff

> _“My ACL requires a given role. A user has that role, but is still failing the access check. The ACL debugger says that the ACL script is what’s failing, but my ACL is not “Advanced” and there’s no script field! What is going on??”_

[ ](https://handbook.snc.guru)

In this article, we’ll discuss an issue with “Advanced” ACLs and Business Rules (_or non-advanced ones that behave as though they’re advanced/scripted_).
This confounding behavior can very often lead to odd, unexpected, and nearly-impossible-to-troubleshoot behavior in the ServiceNow platform.

At the bottom of the article, you’ll find a **free tool** to solve these problems, and provide a better experience for developers and administrators in your instance!

_If you enjoy this article, don’t forget to_ [**_subscribe_**](https://snprotips.com/subscribe) _to SN Pro Tips to get more neat stuff in your inbox!_
_If you want to learn more about ServiceNow development, administration, and architecture tips, tricks, and best-practices, consider checking out my book:_ [**_The ServiceNow Development Handbook_**](https://handbook.snc.guru)_!_

---

# The Problem

Imagine you start creating an ACL (_or a Business_ Rule for that matter). You begin by checking the **Advanced** checkbox, and writing some code to check if certain conditions are met. If so, your code then checks if the user has some specific role.

Before you even finish writing your script, let alone optimizing it, you smack your forehead and realize that you can just use the condition builder and a simple role-check for this ACL. No script necessary!
So, you set the condition field, add a role to the ACL, and _un-check_ _the_ **_Advanced_** _checkbox_.
The “Script” field disappears from the form, and you’re back to looking at a simple ACL, configured exactly as you wanted it.
All done, right?

Bad news, chum. **Un-checking that checkbox did precisely _nothing_**, aside from _hiding_ the Script field. That script is _still going to execute every time your ACL is triggered_!

Bro, Wut?

It’s true. The Script in your ACL _or Business Rule_ will still run — errors and all — even when the Advanced checkbox is un-checked!

But that’s not all… In my relatively out-of-box PDI, there are **54 OOB ACLs** with the “Advanced” checkbox un-checked, but which still contain scripts.
54 ACLs which have hidden code executing in the background every time they run.
54 ACLs that will be damn-near impossible to troubleshoot unless you just _happen_ to know this little nugget of info, and specifically check for it.

# It’s Worse for Business Rules

The same issue applies to Business Rules in ServiceNow, but more-so.
If you have a Business Rule with some code in the **Script** field and/or the “**Delete**” or “**Query**” operation checkboxes checked, and you set the **Advanced** field to false, it will hide the script field… but then, if you save the BR, it will **re-enable the Advanced field** (and those checkboxes and script will still apply) without even telling you!

On one hand, you might consider this a good thing. The _next_ time you load that BR, you’ll be able to at least _see_ the Script field to troubleshoot it.
On the other hand, the fact that it doesn’t even inform you that this is happening, is… frustrating, to say the least. This can certainly lead to all manner of unexpected behavior, performance impacts, and security concerns, just like the issue with ACLs can.

# The Solution

"_Okay Tim_", you reply. "_If you're so smart, then what's the solution?_"

First of all, thank you for acknowledging that I'm brilliant and handsome.

"_I didn't say you were--_"

**_Anyway_** \- one option is to make sure that you (and all other developers in your environment) _always remove any scripts_ in the Script field of any BRs or ACLs before un-checking the “Advanced” checkbox.
I, however, am an idiot, and will very likely forget to do that. I _certainly_ wouldn’t rely on everyone else - even junior devs - to know this, and remember it every time they interact with a BR or ACL.

So - I’ve written a little tool that’ll sort all of this out for you.
It has the following features:

* When the “Advanced” checkbox is _un-checked_ on an ACL or BR, if any code exists that is not commented out in the script field, it adds special comments to the script field that preserve the original script’s value, but prevent it from executing. A notification is shown, indicating that this was done.

* When the “Advanced” checkbox is _checked_ on an ACL or BR, if there is code in the Script field which was previously commented out (using those special comments mentioned above), then the code is un-commented so that the original functionality is restored.
A notification is shown, indicating that this was done.
This prevents “_hidden code_” from executing without your knowledge, making it extremely difficult to troubleshoot performance, security, or logic bugs; not to mention the potential security risks that would arise if code is running as part of your ACL that you don’t expect!

* When the “Advanced” checkbox is _un-checked_ on a Business Rule, if the “Delete” or “Query” checkboxes were checked before the update, they will be un-checked, and a field message will be shown indicating that this was done.
(_If this is not done, then saving the Business Rule after un-checking “Advanced” will not disable the Delete or Query operations. Instead, when the form reloads, Delete and/or Query (along with Advanced) will all be re-checked without even notifying you!_)

* When a Business Rule or ACL is loaded where the “Advanced” checkbox is _un-checked_, but a script containing code (that isn’t commented out) is **already present** (such as if it existed before this tool was installed), an error message is shown at the top of the form to indicate that this is the case.
This should help with troubleshooting issues that result from this confounding platform behavior (which ServiceNow refuses to acknowledge as a platform bug, and therefore isn’t likely to fix).

# [**Download**](https://snprotips.com/s/SNG-Fix-Advanced-ACL-and-BR-Scripts-v10.xml)

Download the Advanced ACL and Business Rule Helper tool as an Update Set by **clicking the link above**.
All you have to do is [**install the Update Set**](https://snprotips.com/installing-an-update-set-from-xml) from the downloaded XML file, and you’re good to go!

You can see all the Client Scripts in this tool before downloading it if you like, in [this public Gist](https://gist.github.com/thisnameissoclever/c0cc7420cc237e8974130e52b2821278).

---

## Subscribe

Sign up with your email address to receive news and updates.

First Name Last Name

Email Address Sign Up

We respect your privacy.

Thank you!

---

* [ 2026](https://snprotips.com/blog?year=2026)
* Jan 8, 2026 [Flow Designer vs. Scripting - REST Message Performance](https://snprotips.com/blog/)
* [ 2025](https://snprotips.com/blog?year=2025)
* Sep 29, 2025 [Find Filthy Inefficient Single-Record Queries FAST](https://snprotips.com/blog/)
* Sep 14, 2025 [Communicating Changes to Your Users (& Setting Default User Preferences in ServiceNow)](https://snprotips.com/blog/)
* Mar 24, 2025 [Calculate Distance Between Two Locations in ServiceNow (without an API call!)](https://snprotips.com/blog/)
* Mar 11, 2025 [5 Ways to Check your ServiceNow Instance for DANGEROUS CODE in Less Than 5 minutes](https://snprotips.com/blog/)
* [ 2024](https://snprotips.com/blog?year=2024)
* Mar 28, 2024 [How to Identify Duplicate Records by Multiple Fields in ServiceNow](https://snprotips.com/blog/)
* Mar 7, 2024 [How to Merge Personal & Company ServiceNow Accounts](https://snprotips.com/blog/)
* Feb 12, 2024 [5 Lessons About Programming From Richard Feynman](https://snprotips.com/blog/)
* [ 2023](https://snprotips.com/blog?year=2023)
* Jul 5, 2023 [Managing Instance-Specific System Properties for Dev/Test/Prod in ServiceNow](https://snprotips.com/blog/)
* Apr 28, 2023 [Your ACLs and Business Rules are Broken (Here's How to Fix Them)](https://snprotips.com/blog/)
* [ 2022](https://snprotips.com/blog?year=2022)
* Dec 13, 2022 [ServiceNow Developers: BE THE GUIDE!](https://snprotips.com/blog/)
* Oct 19, 2022 [A Faster, More Efficient Client-side GlideRecord (Free tool!)](https://snprotips.com/blog/)
* Oct 9, 2022 [Animated Loading Message & Collapsible Details on ServiceNow Form or Field (Client-side)](https://snprotips.com/blog/)
* Aug 23, 2022 [Using .addJoinQuery() & How to Query Records with Attachments in ServiceNow](https://snprotips.com/blog/)
* Aug 18, 2022 [Free, Simple URL Shortener for ServiceNow Nerds (snc.guru)](https://snprotips.com/blog/)
* Aug 16, 2022 [How to Get and Parse ServiceNow Journal Entries as Strings/HTML](https://snprotips.com/blog/)
* Aug 14, 2022 [New tool: Get Latest Version of ServiceNow Docs Page](https://snprotips.com/blog/)
* Mar 4, 2022 [How to Set or Change ServiceNow Application's Repository URL, Credentials, or SSH Key](https://snprotips.com/blog/)
* Feb 7, 2022 [How to return a CSV file from a Scripted REST API (SRAPI) in ServiceNow](https://snprotips.com/blog/)
* [ 2021](https://snprotips.com/blog?year=2021)
* May 3, 2021 [Adding a Guided Setup to Your ServiceNow Application](https://snprotips.com/blog/)
* Apr 27, 2021 [Use Automated Tests to Validate "Guided Setup" Completion & Functionality.](https://snprotips.com/blog/)
* Feb 11, 2021 ["Processors", SRAPIs, and How to Run a Script and Redirect a User From a URL in ServiceNow](https://snprotips.com/blog/)
* [ 2020](https://snprotips.com/blog?year=2020)
* Nov 17, 2020 [SN Guys is now part of Jahnel Group!](https://snprotips.com/blog/)
* Sep 14, 2020 [Better ServiceNow Notifications (& Another FREE Tool!)](https://snprotips.com/blog/)
* Jul 31, 2020 [Debugging Client & Catalog Client Scripts in ServiceNow](https://snprotips.com/blog/)
* Jan 20, 2020 [Getting Help from the ServiceNow Community](https://snprotips.com/blog/)
* [ 2019](https://snprotips.com/blog?year=2019)
* Dec 18, 2019 [Can ServiceNow Script Includes Use the "current" Variable?](https://snprotips.com/blog/)
* Nov 18, 2019 [Handling 'text/plain' and Other Unsupported Content Types in ServiceNow Scripted REST APIs](https://snprotips.com/blog/)
* Apr 21, 2019 [Understanding Attachments in ServiceNow](https://snprotips.com/blog/)
* Apr 10, 2019 [Using Custom Search Engines in Chrome to Quickly Navigate ServiceNow](https://snprotips.com/blog/)
* Apr 4, 2019 [Set Catalog Variables from URL Params (Free tool)](https://snprotips.com/blog/)
* Apr 1, 2019 [Outlook for Android Breaks Email Approvals (+Solution)](https://snprotips.com/blog/)
* Mar 11, 2019 [GlideFilter is Broken - Free Tool: “BetterGlideFilter”](https://snprotips.com/blog/)
* Feb 27, 2019 [Making Update Sets Smarter - Free Tool](https://snprotips.com/blog/)
* [ 2018](https://snprotips.com/blog?year=2018)
* Nov 29, 2018 [How to Learn ServiceNow](https://snprotips.com/blog/)
* Nov 6, 2018 [ServiceNow & ITSM as a Career?](https://snprotips.com/blog/)
* Oct 19, 2018 [Asynchronous onSubmit Catalog/Client Scripts in ServiceNow](https://snprotips.com/blog/)
* Oct 11, 2018 [How to do Massive, Slow Database Operations Efficiently With Event-Driven Recursion](https://snprotips.com/blog/)
* Sep 18, 2018 [Broken Queries & Query Business Rules in ServiceNow](https://snprotips.com/blog/)
* Sep 7, 2018 [JournalRedactor - Easily Redact or Delete Journal Entries in ServiceNow!](https://snprotips.com/blog/)
* Jul 23, 2018 [Admin Duty Separation with a Single Account](https://snprotips.com/blog/)
* Jun 19, 2018 [Improving Performance on Older Instances with Table Rotation](https://snprotips.com/blog/)
* Jun 4, 2018 [New Free Tool: Login Link Generator](https://snprotips.com/blog/)
* May 29, 2018 [Learning ServiceNow: Second Edition!](https://snprotips.com/blog/)
* Apr 17, 2018 [Upgrading From Express to Enterprise: What's Missing](https://snprotips.com/blog/)
* Apr 12, 2018 [If a Genie Gave Me Three Wishes, I'd Use Them All to "Fix" Scope](https://snprotips.com/blog/)
* Mar 19, 2018 [Service Catalog "Try in Portal" button](https://snprotips.com/blog/)
* Mar 15, 2018 [Video: Custom Output Transition Conditions From a Single Workflow (Script) Activity](https://snprotips.com/blog/)
* Feb 11, 2018 [We have a new book! ](https://snprotips.com/blog/)
* [ 2017](https://snprotips.com/blog?year=2017)
* Nov 6, 2017 [Requiring Attachments (& Other Miracles) in Service Portal](https://snprotips.com/blog/)
* Sep 12, 2017 [Handling TimeZones in ServiceNow (TimeZoneUtil)](https://snprotips.com/blog/)
* Jul 27, 2017 [How to Enable DOM Manipulation in ServiceNow Service Portal Catalog Client Scripts](https://snprotips.com/blog/)
* Jun 25, 2017 [What's New in ServiceNow: Jakarta (Pt. 1)](https://snprotips.com/blog/)
* Jun 4, 2017 [Powerful Scripted Text Search in ServiceNow](https://snprotips.com/blog/)
* May 9, 2017 [Work at Lightspeed: ServiceNow's Plan for World Domination](https://snprotips.com/blog/)
* Apr 9, 2017 [Avoiding Pass-By-Reference Using getValue() & setValue()](https://snprotips.com/blog/)
* Apr 4, 2017 ["Learning ServiceNow" is Now Available for Purchase!](https://snprotips.com/blog/)
* Mar 12, 2017 [reCAPTCHA in ServiceNow CMS/Service Portal](https://snprotips.com/blog/)
* [ 2016](https://snprotips.com/blog?year=2016)
* Dec 20, 2016 [Pro Tip: Use updateMultiple() for Maximum Efficiency! ](https://snprotips.com/blog/)
* Dec 2, 2016 [We're Writing a Book! ](https://snprotips.com/blog/)
* Nov 10, 2016 [Chrome Extension: Load in ServiceNow Frame](https://snprotips.com/blog/)
* Sep 7, 2016 [Force-Include Any Record Into an Update Set](https://snprotips.com/blog/)
* Sep 1, 2016 [GlideRecord Pagination - Page through your GlideRecord query](https://snprotips.com/blog/)
* Jul 17, 2016 [Granting Temporary Roles/Groups in ServiceNow](https://snprotips.com/blog/)
* Jul 15, 2016 [Scripted REST APIs & Retrieving RITM Variables via SRAPI](https://snprotips.com/blog/)
* May 17, 2016 [What's New in Helsinki?](https://snprotips.com/blog/)
* Apr 27, 2016 [Customizing UI16 Through CSS and System Properties](https://snprotips.com/blog/)
* Apr 5, 2016 [ServiceNow Versions: Express Vs. Enterprise](https://snprotips.com/blog/)
* Mar 28, 2016 [Update Set Collision Avoidance Tool: V2](https://snprotips.com/blog/)
* Mar 18, 2016 [ServiceNow: What's New in Geneva & UI16 (Pt. 2)](https://snprotips.com/blog/)
* Feb 22, 2016 [Reference Field Auto-Complete Attributes](https://snprotips.com/blog/)
* Feb 6, 2016 [GlideRecord & GlideAjax: Client-Side Vs. Server-Side](https://snprotips.com/blog/)
* Feb 1, 2016 [Make Your Log Entries Easier to Find](https://snprotips.com/blog/)
* Jan 29, 2016 [A Better, One-Click Approval](https://snprotips.com/blog/)
* Jan 25, 2016 [Quickly Move Changes Between Update Sets](https://snprotips.com/blog/)
* Jan 20, 2016 [Customize the Reference Icon Pop-up](https://snprotips.com/blog/)
* Jan 7, 2016 [ServiceNow: Geneva & UI16 - What's new](https://snprotips.com/blog/)
* Jan 4, 2016 [Detect/Prevent Update Set Conflicts Before They Happen](https://snprotips.com/blog/)
* [ 2015](https://snprotips.com/blog?year=2015)
* Dec 28, 2015 [SN101: Boolean logic and ServiceNow's Condition Builder](https://snprotips.com/blog/)
* Dec 17, 2015 [Locate any record in any table, by sys\_id in ServiceNow](https://snprotips.com/blog/)
* Dec 16, 2015 [Detecting Duplicate Records with GlideAggregate](https://snprotips.com/blog/)
* Dec 11, 2015 [Array.indexOf() not working in ServiceNow - Solution! ](https://snprotips.com/blog/)
* Dec 2, 2015 [Understanding Dynamic Filters & Checking a Record Against a Filter Using GlideFilter](https://snprotips.com/blog/)
* Oct 20, 2015 [Bookmarklet: Load the current page in the ServiceNow frame](https://snprotips.com/blog/)
* Aug 27, 2015 [Easily Clone One User's Access to Another User](https://snprotips.com/blog/)

View original source

https://snprotips.com/blog/2023/4/28/your-servicenow-acls-are-broken