Selective access to CI's in the CMDB

Frank70 · ‎03-11-2024

A customer is trying to only give edit/update rights to the users that own certain ci's.

Is there a way to do this ?

I tried to create an ACL on the cmdb_ci table based on the ownership of the CI's but the write access doesn't seem to work.

Ashok Sasidhara · ‎03-11-2024

If your objective is to give write access rights to users who are owners of certain CI classes, it is better to avoid creating ACLs on cmdb_ci. The ACLs should be configured for the specific CI classes which they own (like server class, network gear class etc.)

CMDB Whisperer · ‎03-11-2024

In a nutshell you would use scripted ACLs that would provide access based on whether the User is specified in a User field like Assigned to, or a is a member of a Group that is specified in a Group field like Support group. However, please note that this is an oversimplified recommendation and in reality you will find there are subtleties involved here that will likely impede users from doing normal activity on a CI that they should be able to do, and that this may even vary on a field-by-field basis. Most importantly, always test access controls rigorously for functionality, usability, and performance before you put it into Production!

The opinions expressed here are the opinions of the author, and are not endorsed by ServiceNow or any other employer, company, or entity.

AJ-TechTrek · ‎03-12-2024

Hi @Frank70 ,

That ACL on CMDB_CI, will not help, you need to use the Scripted ACL based on their roles and group, It will help to achieve this.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

ServiceNow Community Rising Star 2024