I want to grant users read permissions on the “cmdb_ci_service_discovered” table.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I want to grant users only read permissions for records in the “cmdb_ci_service_discovered” table. They do not need permissions to create, update, or delete records. I assigned the “sn_cmdb_user” role to the user, but when opening the list view, it appears only records where the “operational status” field is set to “Non-Operational” are displayed. I suspect this is a control related to the cmdb_ci table. Could you please tell me which control is causing this? Also, if only read permissions for the “cmdb_ci_service_discovered” table are required, which role would be most appropriate to assign?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
It likely means there is a Data Policy, UI Policy or a Business Rule applied on the table (or inherited class like cmdb_ci) that filters list views for that role to show only non-operational CIs (a common control in CMDB modules to restrict visibility of in use CIs). If you only need users to have read only access on cmdb_ci_service_discovered you can grant them the base read permission by creating a custom ACL (type record; operation = read) on that table and then assign a minimal custom role (for example u_cmdb_read_only_service_discovered) to those users instead of sn_cmdb_user, which carries broader inherited restrictions and filters.....
If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
The service_viewer role provides read access to the cmdb_ci_service_discovered table. If you assign the service_viewer and sn_cmdb_user roles to a user they'll be able to access CMDB Workspace and view CIs in the cmdb_ci_service_discovered table - records will be available for any values of the Operational Status field.
Note that the sn_cmdb_user role contains the app_service_user role so you should be able to read CIs in the cmdb_ci_service_discovered table with just the sn_cmdb_user role assigned.
Not sure why records are only appearing if the Operational Status field is set to "Non-operational" when the user has only the sn_cmdb_user role - I couldn't reproduce this on a Zurich instance.
