The Access Control Lists(ACL) return true.But the users with SOAP role are not able to view the records of the incident table and there is no security constraint message.
The business rule - "incident query" checks if the user is interactive under Advanced tab's script. If the user has SOAP roles, "incident query" Business rule will consider the user as non-interactive session.
Manually switch a non-interactive user to an interactive user.
1)Navigate to User Administration --> Users
2)Search for the user you want to update. For ex: System Administrator.
3)Clear the Web Service Access Only check box.
Please refer the following doc for more information about Non-interactive sessions.