Restrict deletion of ci relationship to a group

Matrix
Tera Contributor


Only CMDB group should be allowed to delete the relationships records in table (cmdb_rel_ci) which are coming from the table cmdb_ci_service_discovered.

1 ACCEPTED SOLUTION

IAmAbhigyaan12
Giga Guru

Hi @Matrix,

The code which you have written is correct you need to check the other ACL's which is bypassing your ACL.

You can set the other ACL to InActive and try that.

If my answer solved your issue, please mark my answer as Correct & hit like Helpful

Thanks
Abi

View solution in original post

4 REPLIES 4

Dharmaraj5
Tera Contributor

Hello @Matrix ,

 

to achieve this requirement you need to update existing OOTB 'cmdb_rel_ci' delete ACL with following script.

 

ACL sys id-810de16dc0a801665dc5c9f84edb4844

Advance - true

Script:

 

answer=true;
if(current.parent.sys_class_name=='cmdb_ci_service_discovered'){
	if(gs.getUser().isMemberOf('your_cmdb_group_sys_id')
		answer=true;
	else
		answer=false;
}

 

Dharmaraj5_0-1693662892827.pngDharmaraj5_1-1693662915137.png

Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!

 

Samaksh Wani
Giga Sage
Giga Sage

Hello @Matrix 

 

You need to create a Delete ACL for the table,

 

Script which you write for ACL :-

 

 

if(gs.getUser().isMemberOf('sys_id_of_CMDB_group'){
answer=true;
}

 

 

Plz Mark my Solution as Accept and Give me thumbs up, if you find it helpful.

 

Regards,

Samaksh

Harish Bainsla
Kilo Patron
Kilo Patron
  1. Login to ServiceNow: Log in to your ServiceNow instance with an account that has administrative privileges.

  2. Navigate to Access Control Rules:

    • Go to "System Security" > "Access Control" > "Access Control Rules."
  3. Create a New Access Control Rule:

    • Click the "New" button to create a new access control rule.
  4. Define the Access Control Rule:

    • Name: Give your access control rule a meaningful name, e.g., "Restrict Delete for CMDB Relationships from Service Discovered."
    • Table: Select "cmdb_rel_ci" as the table for which you want to control access.
    • Operation: Choose "Delete" to restrict deletion actions.
    • Condition: In the "Advanced" tab, write a condition to specify that this rule applies only to records associated with the cmdb_ci_service_discovered table. 
    • Define the Roles and Permissions:

      • In the "Roles" section, add the "CMDB" group to the "Role" field. This means that only members of the CMDB group will have the permissions defined in this rule.
      • In the "Permissions" section, set the "Can delete" checkbox to "Deny." This will prevent members of the CMDB group from deleting these records.
    • Save the Access Control Rule:

      • Click the "Submit" or "Save" button to save the access control rule.

IAmAbhigyaan12
Giga Guru

Hi @Matrix,

The code which you have written is correct you need to check the other ACL's which is bypassing your ACL.

You can set the other ACL to InActive and try that.

If my answer solved your issue, please mark my answer as Correct & hit like Helpful

Thanks
Abi