ACC Allow List: Oracle LMS SQL File Copy Blocked During DiscoveryIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } During Oracle LMS Discovery, (step- put Oracle LMS sql file) the ACC pattern attempts to copy a SQL query file to the system's temporary directory using a cp command over an SSH-based ad-hoc check. The ACC agent blocks this command because it is not present in the configured allow list, causing the pattern execution to fail with the following error: check command denied by the agent allow list. Context: Asset allow list empty, using agent config file allow list. Did not find exec entry. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Affected command The Discovery pattern runs the following SSH command on the ACC-managed host: cp /var/cache/servicenow/agent-client-collector/pattern-execution/bin/db_queries_to_csv.sql $TMPDIR Log reference — full error snippet Here is the complete relevant log output observed when the allow list blocks the cp command: 2026-04-06 17:16:19: Following file is available on ACC host using ACC plugins: /var/cache/servicenow/agent-client-collector/pattern-execution/bin/db_queries_to_csv.sql 2026-04-06 17:16:19: Executing SSH command: cp /var/cache/servicenow/agent-client-collector/pattern-execution/bin/db_queries_to_csv.sql $TMPDIR 2026-04-06 17:16:19: Using ACC connection to execute command on Unix agent with id: <agent-id> 2026-04-06 17:16:19: Exception occurred when executing command on agent. error while processing the adhoc check request: command failed due to allow list exclusion: check command denied by the agent allow list. Context: Asset allow list empty, using agent config file allow list. Did not find exec entry. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Any Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The ACC agent evaluates this command against its allow list before execution. If no matching exec entry exists, the command is denied regardless of file permissions or user privileges. ComponentDetailError typeACC allow list enforcement — command not permittedBlocked binarycp (typically resolves to /bin/cp)Allow list usedAgent config file allow list (asset allow list is empty) Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Option 1 — Restrictive (for production environments) Use this entry when you want to permit cp only for the specific Oracle LMS file paths. This is the safer configuration for production environments. { "exec": "cp", "args": [ "/var/cache/servicenow/agent-client-collector/pattern-execution/bin/db_queries_to_csv.sql /tmp", "/var/cache/servicenow/agent-client-collector/pattern-execution/bin/db_queries_to_csv.sql /var/tmp" ], "skip_arguments": false } This permits cp only when called with those exact source-to-destination argument strings. Any other use of cp remains blocked. Option 2 — Less restrictive (non-production or controlled environments only) Use this entry to allow cp with any arguments. This option permits all cp commands on the host. { "exec": "cp", "args": [""], "skip_arguments": true } Note: The "exec" value must be the command name (for example, "cp"), not the full binary path (for example, "/bin/cp"). Using the full path as the exec value is the most common cause of this fix failing. Post-fix verification checklist StepAction1. Locate the allow list fileTypically /opt/agent-client-collector/config/allow-list.json — confirm the path from the agent config.2. Validate JSONThe entire file must be valid JSON. A trailing comma or missing bracket causes the allow list to be silently ignored.3. Confirm array structureThe file root must be an array: [ { "exec": "cp", ... }, { ... } ]4. Resolve $TMPDIRConfirm $TMPDIR on the target host. If it expands to a path other than /tmp or /var/tmp, update the args entries in Option 1 accordingly.5. Restart the ACC agentAfter saving changes, restart the ACC agent service for the new allow list to take effect.6. Run Host collectionRun the Oracle LMS pattern again and confirm the SQL file copy step completes without error.