Restrict deletion of ci relationship to a group

Go to solution
Matrix
Tera Contributor

‎09-02-2023 06:33 AM - edited ‎09-02-2023 07:09 AM


Only CMDB group should be allowed to delete the relationships records in table (cmdb_rel_ci) which are coming from the table cmdb_ci_service_discovered.

0 Helpfuls
  • 724 Views
1 ACCEPTED SOLUTION

Go to solution
IAmAbhigyaan12
Giga Guru

‎09-06-2023 11:46 PM

Hi @Matrix,

The code which you have written is correct you need to check the other ACL's which is bypassing your ACL.

You can set the other ACL to InActive and try that.

If my answer solved your issue, please mark my answer as Correct & hit like Helpful

Thanks
Abi

View solution in original post

4 REPLIES 4

Go to solution
Dharmaraj5
Tera Contributor

‎09-02-2023 06:55 AM

Hello @Matrix ,

 

to achieve this requirement you need to update existing OOTB 'cmdb_rel_ci' delete ACL with following script.

 

ACL sys id-810de16dc0a801665dc5c9f84edb4844

Advance - true

Script:

 

answer=true;
if(current.parent.sys_class_name=='cmdb_ci_service_discovered'){
	if(gs.getUser().isMemberOf('your_cmdb_group_sys_id')
		answer=true;
	else
		answer=false;
}

 

Dharmaraj5_0-1693662892827.pngDharmaraj5_1-1693662915137.png

Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!

 

0 Helpfuls

Go to solution
Samaksh Wani
Giga Sage

‎09-02-2023 06:58 AM

Hello @Matrix 

 

You need to create a Delete ACL for the table,

 

Script which you write for ACL :-

 

 

if(gs.getUser().isMemberOf('sys_id_of_CMDB_group'){
answer=true;
}

 

 

Plz Mark my Solution as Accept and Give me thumbs up, if you find it helpful.

 

Regards,

Samaksh

0 Helpfuls

Go to solution
Harish Bainsla
Kilo Patron
Kilo Patron

‎09-02-2023 08:16 AM

  1. Login to ServiceNow: Log in to your ServiceNow instance with an account that has administrative privileges.

  2. Navigate to Access Control Rules:

    • Go to "System Security" > "Access Control" > "Access Control Rules."

  3. Create a New Access Control Rule:

    • Click the "New" button to create a new access control rule.

  4. Define the Access Control Rule:

    • Name: Give your access control rule a meaningful name, e.g., "Restrict Delete for CMDB Relationships from Service Discovered."
    • Table: Select "cmdb_rel_ci" as the table for which you want to control access.
    • Operation: Choose "Delete" to restrict deletion actions.
    • Condition: In the "Advanced" tab, write a condition to specify that this rule applies only to records associated with the cmdb_ci_service_discovered table. 

    • Define the Roles and Permissions:

      • In the "Roles" section, add the "CMDB" group to the "Role" field. This means that only members of the CMDB group will have the permissions defined in this rule.
      • In the "Permissions" section, set the "Can delete" checkbox to "Deny." This will prevent members of the CMDB group from deleting these records.

    • Save the Access Control Rule:

      • Click the "Submit" or "Save" button to save the access control rule.
0 Helpfuls

Go to solution
IAmAbhigyaan12
Giga Guru

‎09-06-2023 11:46 PM

Hi @Matrix,

The code which you have written is correct you need to check the other ACL's which is bypassing your ACL.

You can set the other ACL to InActive and try that.

If my answer solved your issue, please mark my answer as Correct & hit like Helpful

Thanks
Abi