Non-role (ESS) users are not able to see group (sys_user_group) records when trying to select a group from any fields or variables that reference the group (sys_user_group) table.
The users are failing the table level read ACL on sys_user_group table.
The OOB ACL: /sys_security_acl.do?sys_id=811f2ddec0a801666be07f00f34794c7
The OOB ACL checks for:
- If the group has the admin role attached to it. If yes, then only users with admin role can view that group
- If the group has the security_admin role attached to it. If yes, then only users with security_admin role can view that group
- Otherwise, if the group doesn't have any of the roles above and if the user has any roles in the instance then grant that user read access to the group record
The OOB ACL can be modified as appropriate to grant non-role users access, or a new similar ACL can be created altogether for the same requirement.