Query Range ACL Errors

Troubleshooting: Query Range ACL Errors After May 2025 ServiceNow Patch

Overview

In May 2025, ServiceNow applied a platform-wide security patch which automatically created additional Access Control List (ACL) records on customer instances.

This change unintentionally affected the ShareLogic Unifi application by generating dozens of redundant ACLs.

Unifi already enforces strict access control within its own data model. These extra ACLs do not enhance security, but they can block access to transactional data and cause query range errors when using Unifi tables.

Symptoms

You may encounter one or more of the following:

Error messages such as “Insufficient query range” or “Access denied to table…”
Inability to query or list transactional records through Unifi interfaces or APIs
Unexpected filtering or empty results when viewing Unifi data

Cause

The May 2025 ServiceNow patch created new ACLs in the Unifi scope (x_snd_eb) under the system user @@snc_write_audit@@. These records override Unifi’s intended access rules.

Resolution

You can safely disable these redundant ACLs. Use the script below to identify and deactivate them.

Prerequisites

admin and security_admin roles

Steps

Set the application picker to ShareLogic Unifi and choose a suitable update set.
Elevated privileges for security_admin.
Navigate to System Definition → Scripts - Background.
Paste the following script into the editor.
Click Run Script.
Review the system log for confirmation.
Commit or migrate the resulting update set through your normal release process.

/**
 * ShareLogic Unifi - Disable unnecessary query_range ACLs
 *
 * In May 2025, ServiceNow deployed a platform-wide security patch which
 * automatically created numerous unnecessary ACLs in the ShareLogic Unifi
 * application. Unifi already implements its own robust access controls, and
 * these additional ACLs provide no further security benefit. Their only effect
 * is to trigger "query range" errors when accessing Unifi tables.
 *
 * Since these ACLs are unique to each instance, you can use this script to
 * disable them and restore Unifi to its intended behaviour.
 *
 * For more information, see:
 * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494
 * https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2130442
 */
(function disableUnifiQueryRangeACLs() {

  // ---- Role checks (fail-fast) ----
  if (!gs.hasRole('security_admin')) {
    gs.debug('Abort: security_admin role is required (elevate privileges first).');
    return;
  }

  var q = new GlideRecord('sys_security_acl');
  q.addQuery('sys_scope', '74f0b4550f8ca20094f3c09ce1050e6a'); // Unifi [x_snd_eb]
  q.addQuery('sys_created_by', '@@snc_write_audit@@');
  q.addQuery('active', true);
  q.query();

  var total = 0, updated = 0, failed = 0;

  while (q.next()) {
    total++;

    q.setValue('active', false);

    if (q.update()) {
      updated++;
    } else {
      failed++;
      gs.debug('Update failed: sys_id=' + sysId + ' (active=' + (v.isValidRecord() ? v.getValue('active') : 'N/A') + ')');
    }
  }

  gs.info([
    'Unifi ACL disable summary:',
    '  total matched: ' + total,
    '  updated: ' + updated,
    '  failed: ' + failed
  ].join('\n'));
})();

PreviousDuplicate bonds on Request integrations NextSelf-test

Last updated 1 month ago

Was this helpful?