CMDB Read role required for catalog intake forms using lookup value?

joscan · 2 hours ago

We have a catalog item leveraging a look up value on the CMDB table for users to request decommission or backup / restore of specific devices. Historically we have not seen an issue, today a user raised an access concern and was unable to add or look up the CI for backup/ restore within the catalog and it seems they now need a cmdb_read role.
In my reasearch it states this "may" have licenses restrictiosn and can't be granted to general users of the employee center portal? Has anyone run into this and if so is there a work around over removing look up and allowing unstructured data and free text on the intake forms?

ayushraj7012933 · 41m ago

Hi @joscan ,

The best practice solution in this scenario is to create a restricted Read ACL on the CMDB table, instead of granting the cmdb_read role or moving to free-text input.

This ensures users can only see/select relevant CIs while maintaining security and avoiding licensing concerns.

Best Practice: Restricted CMDB Read ACL

Step-by-Step Implementation

Step 1: Create Read ACL

Navigate to System Security → Access Control (ACL)
Click New
Configure:
- Table: cmdb_ci (or specific class like cmdb_ci_computer)
- Operation: read

Step 2: Add Restriction Logic

Use a script to limit access only to relevant records:

answer = current.assigned_to == gs.getUserID();

You can enhance this based on your requirement:

Assigned to user
Department-based
Location-based
Step 3: Apply Reference Qualifier (Optional but Recommended)

Open your catalog variable
Add Reference Qualifier:

assigned_to=javascript:gs.getUserID()

Step 4: Test with End User

Login as affected user
Verify:
- CI lookup works
- Only relevant records are visible
  
  If you find my response helpful or it resolves your issue, kindly mark it as Helpful and Accept the Solution.
  This helps others in the community quickly find the correct answer and improves overall knowledge sharing.
  Thank you for your support!