Granular permission for fields/tables in CMDB CI

Marco Moro · ‎10-22-2024

All ITSM fulfiller's are assigned to the role itil. With that role all users have the permission to modify CI entries like Servers, Computers and so on.

We need to find a way to restrict itil user in modifying CMDB entries manually and we need to ensure from a technical, security matter to restrict these manual changes and need to restrict these actions to a dedicated role/user group.
Afaik there is no OOB solution available that we can allow certain fields in specific CMDB CI tables.
Our goal is that we can define some fields that can be modified by e.g. a "support group" of a CI and all other fields are readonly as most fields are populated automatically by foreign sources.

Hint: We just got ITSM license, no CMDB multisource and the question is not related to Services "tables".

Runjay Patel · ‎10-22-2024

Hi @Marco Moro ,

You can create ACL on hardware/cmdb base table. Do the following.

1. create one custom role called "u_cmdb_write_permission".

2. Create one write acl for all column on hardware/cmdb table and add the role created above. This will make non-editable fields for all user who does not have custom role created above.

3. Create field level write acl (for all field which you want to give access to support group). code you can use like below.

answer = gs.getUser().isMemberOf('your group name');

Note: Group name you can fetch it from proprties.

-------------------------------------------------------------------------

If you found my response helpful, please consider selecting "Accept as Solution" and marking it as "Helpful." This not only supports me but also benefits the community.

Regards
Runjay Patel - ServiceNow Solution Architect
LinkedIn: https://www.linkedin.com/in/runjay
YouTube: https://www.youtube.com/@RunjayP

-------------------------------------------------------------------------