# Query Range ACL Errors ## Overview In **May 2025**, ServiceNow applied a **platform-wide security patch** which automatically created additional *Access Control List (ACL)* records on customer instances. This change unintentionally affected the **ShareLogic Unifi** application by generating dozens of redundant ACLs. Unifi already enforces strict access control within its own data model. These extra ACLs **do not enhance security**, but they **can block access to transactional data** and cause *query range errors* when using Unifi tables. *** ## Symptoms You may encounter one or more of the following: * Error messages such as **“Insufficient query range”** or **“Access denied to table…”** * Inability to query or list transactional records through Unifi interfaces or APIs * Unexpected filtering or empty results when viewing Unifi data *** ## Cause The May 2025 ServiceNow patch created new ACLs in the Unifi scope (`x_snd_eb`) under the system user `@@snc_write_audit@@`. These records override Unifi’s intended access rules. *** ## Resolution You can safely disable these redundant ACLs. Use the script below to identify and deactivate them. **Prerequisites** * `admin` and `security_admin` roles **Steps** 1. Set the application picker to **ShareLogic Unifi** and choose a suitable update set. 2. Elevated privileges for `security_admin.` 3. Navigate to **System Definition → Scripts - Background**. 4. Paste the following script into the editor. 5. Click **Run Script**. 6. Review the system log for confirmation. 7. Commit or migrate the resulting update set through your normal release process. ```javascript /** * ShareLogic Unifi - Disable unnecessary query_range ACLs * * In May 2025, ServiceNow deployed a platform-wide security patch which * automatically created numerous unnecessary ACLs in the ShareLogic Unifi * application. Unifi already implements its own robust access controls, and * these additional ACLs provide no further security benefit. Their only effect * is to trigger "query range" errors when accessing Unifi tables. * * Since these ACLs are unique to each instance, you can use this script to * disable them and restore Unifi to its intended behaviour. * * For more information, see: * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494 * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2130442 */ (function disableUnifiQueryRangeACLs() { // ---- Role checks (fail-fast) ---- if (!gs.hasRole('security_admin')) { gs.debug('Abort: security_admin role is required (elevate privileges first).'); return; } var q = new GlideRecord('sys_security_acl'); q.addQuery('sys_scope', '74f0b4550f8ca20094f3c09ce1050e6a'); // Unifi [x_snd_eb] q.addQuery('sys_created_by', '@@snc_write_audit@@'); q.addQuery('active', true); q.query(); var total = 0, updated = 0, failed = 0; while (q.next()) { total++; q.setValue('active', false); if (q.update()) { updated++; } else { failed++; gs.debug('Update failed: sys_id=' + sysId + ' (active=' + (v.isValidRecord() ? v.getValue('active') : 'N/A') + ')'); } } gs.info([ 'Unifi ACL disable summary:', ' total matched: ' + total, ' updated: ' + updated, ' failed: ' + failed ].join('\n')); })(); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sharelogic.com/unifi/troubleshooting/query-range-acl-errors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.