Roles require to create an application in cmdb_ci_appl table

pramodkumar
Tera Expert

Hi All,

We manually create applications in cmdb_ci_appl table (class = application), for this we have created custom ACLs. What is the OOB role required to create apps in cmdb_ci_appl manually.

 

 

Thanks!

3 REPLIES 3

kaushal_snow
Mega Sage

Hi @pramodkumar ,

 

Out‑of‑the‑box, to create Application CIs (records in table cmdb_ci_appl) you must have either the itil or asset role, because the standard create, write, and delete ACLs on the cmdb_ci base class (which applies to cmdb_ci_appl and all its subclasses) explicitly include itil + asset in their Requires role list...

 

Try this once and let me know. If you find this helpful, please accept this as a solution and hit the helpful button..

 

 

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/

AJ-TechTrek
Giga Sage
Giga Sage

Hi @pramodkumar ,

 

The out-of-the-box (OOB) role required to manually create applications in the cmdb_ci_appl table is:

 

cmdb_ci_admin

 

Explanation:
The table cmdb_ci_appl (which is a child of cmdb_ci) is write-protected by ACLs to prevent unauthorized CMDB updates.

To manually create applications in this table through the UI (e.g., via the CMDB workspace or Application list), you need:

 

OOB ACLs (Access Control List) for cmdb_ci_appl:

 

Operation Required Role(s)
Read itil or cmdb_read
Write cmdb_ci_admin
Create cmdb_ci_admin
Delete admin (usually discouraged)



Without cmdb_ci_admin, the user will get a "security constraints prohibit this operation" error when attempting to insert or update.

 

If You Created Custom ACLs:
Since you mentioned you've created custom ACLs, you may have overridden OOB ones. Ensure your custom ACLs for cmdb_ci_appl allow:
* create and write access
* Conditions or scripts that return true or verify role (e.g., check for a custom role like custom_app_admin)
* Avoid accidentally blocking OOB roles like cmdb_ci_admin

 

Recommended Approach:
1. Use OOB Role: Assign cmdb_ci_admin to users who need to create application CIs.
2. Audit Custom ACLs: Review ACLs on cmdb_ci_appl to ensure you didn’t block OOB behavior.
3. Least Privilege (Optional): If cmdb_ci_admin is too broad, create a custom role and adjust ACLs accordingly for only that table.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

Ziad Q
Tera Expert

Hi,

Please check your current patch release notes; ServiceNow has updated the roles that has the ability to update CMDB.  Please see Configuration Management Database (CMDB) release notes 

"

CMDB highlights for the Xanadu release

  • Access changes to the CMDB Editor and CMDB Admin user roles:
    • Starting with Xanadu Patch 9, the sn_cmdb_editor and sn_cmdb_admin user roles no longer have create, update, or delete access to records in the Configuration Item [cmdb_ci] class.

 

*Please mark Accept Solution if correct or mark helpful if it does help!