Limitations on Data Certification Admin Role with CMDB Workspace

Robert Campbell · ‎08-29-2024

We use the role certification_admin for the group that owns the data certification process. This groups configures and manages all of the data certifications that happen regardless of the tables being used.

Now, with the CMDB Workspace, the role they need is sn_cmdb_admin and this makes them an admin in this workspace which gives them so much more access than they need.

Is there a way to give "admin" access to certifications only?

Community Alums · ‎08-29-2024

Hi @Robert Campbell ,

You should try giving them sn_cmdb_user role or if few things they are not able to do then look for sn_cmdb_editor role.

Tony Branton · ‎08-29-2024

It's not currently possible to grant access to Data Manager with a user role other than sn_cmdb_admin. Data Manager is accessed via the Management page in CMDB Workspace which requires the sn_cmdb_admin role.

While we can investigate extending the data_manager_admin role to providing access to Data Manager, we would also need to investigate how to provide access to users assigned this role without necessarily routing through the Management page.

Alex_Dundon · 3 weeks ago

@Tony Branton I would like to echo @BHackenberger's, comment. We also have data certification use cases beyond the CMDB. The previous module was perfect for addressing this because the data_cert_admin role just granted the permissions that were necessary to execute and manage the data certification without extra permissions.

By integrating the new data certification functionality into CMDB Data Manager, it forces the granting of extra permissions to folks who need to run a data certification campaign that should not have it. For example, by granting sn_cmdb_admin, it also grants access to modify the CI Class Manager. Besides CMDB Admins and Platform Admins, no one should have access to edit there. The potential impact of a mis-configuration there can be extremely dangerous.

I would strongly recommend that ServiceNow create a stand alone role just to manage data certification policies in CMDB Data Manager.

Tony Branton · 3 weeks ago

Moving from UI16 to workspace experiences sees legacy standalone applications (like legacy Data Certification) being incorporated as capabilities in workspaces. We could have create a dedicated Data Certification workspace, however this would add yet another workspace - something we're trying to avoid.

Aside from being based on the Data Manager framework, Data Certification was incorporated into CMDB Workspace since that workspace is auto-installed on instances and available to all customers at no charge.

We are in the process of performing an extensive redesign of CMDB Workspace and investigating some improvements to specifically address accessing Data Certification tasks. Two things we're looking into:

Allowing users with the data_manager_user role access to only tasks in the workspace - all other workspace features only available if a user is assigned one of the sn_cmdb_* roles.
Supporting a time-limited role for task assignees allowing users without the data_manager_user role who are assigned tasks the ability to work with those tasks and then have the role unassigned.

As Data Certification functionality is being incorporated into workspaces other than CMDB Workspace, we're supporting the use of only the Data Manager roles for those use cases.

As far as managing Data Manager CI life cycle and attestation policies, and configuration settings, these will still require the sn_cmdb_admin when working in CMDB Workspace.