Limitations on Data Certification Admin Role with CMDB Workspace

Robert Campbell · ‎08-29-2024

We use the role certification_admin for the group that owns the data certification process. This groups configures and manages all of the data certifications that happen regardless of the tables being used.

Now, with the CMDB Workspace, the role they need is sn_cmdb_admin and this makes them an admin in this workspace which gives them so much more access than they need.

Is there a way to give "admin" access to certifications only?

Hristo G_ · yesterday

Hi @Tony Branton ,

Thanks for your clarifications and for shedding light on the reasoning behind your decisions and the improvements you are planning to implement.

That said, I agree with @BHackenberger and @Alex_Dundon that teams needing to run their own attestation and certification policies on data outside of the CMDB should not be required to have the CMDB Admin [sn_cmdb_admin] role.

Granting users the sn_cmdb_admin role provides privileges far beyond what's required for Data Manager usage. It gives full CMDB administrative rights, which are intended for Configuration Managers and CMDB Admins. This approach violates the principle of least privilege and complicates separation of duties.

I imagine many other customers are facing similar challenges. With the deprecation of the legacy Data Certification (com.snc.certification_v2) application in the Zurich release, I can see more and more customers raising the same question and expecting a solution from your side.

Robert Campbell · yesterday

These sound like great ideas. One thing I noticed is that if a user clicks on a link to a CMDBTASK, it doesn't take them to the CMDB Workspace view of that task, even if they are the one assigned to the task. They are taken to this view of the task.

And if they are in the old UI, there's no message telling them they need to be in the Next Experience and go to the CMDB Workspace but maybe we can provide an alert but I like the effort. I think it would be nice to have it outside of the CMDB since all areas of ServiceNow could use it.

Tony Branton · yesterday

If you're referring to the link in the email notification taking a user to the UI16 form view, that's been noted and will be addressed in a forthcoming release.