CMDB Read role required for catalog intake forms using lookup value?

joscan
Tera Contributor

6 hours ago

We have a catalog item leveraging a look up value on the CMDB table for users to request decommission or backup / restore of specific devices. Historically we have not seen an issue, today a user raised an access concern and was unable to add or look up the CI for backup/ restore within the catalog and it seems they now need a cmdb_read role. 
In my reasearch it states this "may" have licenses restrictiosn and can't be granted to general users of the employee center portal?  Has anyone run into this and if so is there a work around over removing look up and allowing unstructured data and free text on the intake forms? 

0 Helpfuls
  • 108 Views
2 REPLIES 2

ayushraj7012933
Mega Guru

5 hours ago

 

Hi  @joscan ,

The best practice solution in this scenario is to create a restricted Read ACL on the CMDB table, instead of granting the cmdb_read role or moving to free-text input.

This ensures users can only see/select relevant CIs while maintaining security and avoiding licensing concerns.

Best Practice: Restricted CMDB Read ACL

Step-by-Step Implementation

Step 1: Create Read ACL

  1. Navigate to System Security → Access Control (ACL)

  2. Click New

  3. Configure:

    • Table: cmdb_ci (or specific class like cmdb_ci_computer)

    • Operation: read

Step 2: Add Restriction Logic

Use a script to limit access only to relevant records:

answer = current.assigned_to == gs.getUserID();
 You can enhance this based on your requirement:

  • Assigned to user

  • Department-based

  • Location-based

  • Step 3: Apply Reference Qualifier (Optional but Recommended)

  1. Open your catalog variable

  2. Add Reference Qualifier:

 

 
assigned_to=javascript:gs.getUserID()
 

Step 4: Test with End User

  • Login as affected user

  • Verify:

    • CI lookup works

    • Only relevant records are visible

       

       

      If you find my response helpful or it resolves your issue, kindly mark it as Helpful and Accept the Solution.

      This helps others in the community quickly find the correct answer and improves overall knowledge sharing.

      Thank you for your support!

0 Helpfuls

Tanushree Maiti
Tera Sage

5 hours ago

hi @joscan 

 

We have faced the issue couple of times . That time we have added user in a group where Read ACL  role is there and issue is solved. But those were for SP not for employee center portal.

 

But for Employee center  potal , they are supposed to be snc_internal but getting cmdb_read role will give them broader visibility to backend data i.e CIs.

 

Though cmdb_read role is listed as a "Requester" role, but for license complication you should be checking once with a ServiceNow account representative to avoid ANY licensing violations.

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls