CSDM Alignment - Business and Technology Management Services not selectable from incident

Go to solution
ahbrook
Tera Contributor

Wednesday

Hello everyone! I feel like I'm missing something obvious in terms of ServiceNow usage, so feel free to point me in the right direction. I wanted to ask here before opening a support request with ServiceNow directly.

 

I am working on an architectural model for my institution, and am trying to follow CSDM v5. To demonstrate how I understand things will work, I wanted to show how the business services and technology management services could be used in ITSM incident creation and service requests. I wanted to do this by using my personal development instance. 

 

However, when I went to try and test what a help desk user would be able to do, the system only displayed the demo services included in the PDI - and it reported that security constraints blocked my elements from being viewable. 

 

My question has 2 parts: 

1. Am I correct in assuming that help desk workers (or customers) would be able to select the business and technology management services when creating an incident, or is there some other mechanism that ties these services to the "Day to day" operations of ITSM?

2. Assuming I'm correct above, can anyone give me pointers on what I'm doing wrong to have the services visible?

 

Here is the steps I've taken, starting with a fresh personal development instance: 

  • Requested a Zurich PDI
  • Activated the "ITSM Roles" plugin without demo data (using the Manage instance interface)
  • Logged in to PDI as admin
  • Used the Application Management dashboard to install the following:
    • Digital Portfolio Management (product)
    • Service Portfolio Management (product)
    • CMDB And CSDM Data foundations Dashboards (plugin)
    • CMDB CI Class Models (application)
  • Created and switched to a unique updat set (scope of global)
  • Used the "Service Portfolios" view to create a unique service portfolio
  • Created 8 nodes under the primary Service Portfolio
  • Used the "Service Builder" application to create business services and technology management services
    • All of the services are owned by the "System Administrator" user, and other details are not filled out
    • Most of the services have service offerings under them
    • All services are listed as published
  • Switched off of the update set (without completing it)
  • Confirmed the admin user could see all business and technology management services when creating an incident
  • Created a sample user
  • Assigned the sample user to the pre-built "Help Desk" and "Service Desk" groups
  • Assigned the role "itil" to the "Service Desk" group
  • In a private browsing session, logged onto the sample user
  • Accessed the Service Operations Workspace
  • Created a new incident
  • Attempted to select a non-demo business service or technology management service from the lookup tool and failed.

I should note that initially, I did not set any assignment groups, change groups, or management groups to any of the services or offerings I created. However, this does not seem to be affecting anything. I suspect I am missing some fundamental permission, but I am not sure where to look for that or what controls exactly how the "service" and "Service offering" lookups interact with the Service Builder.

 

0 Helpfuls
  • 284 Views
1 ACCEPTED SOLUTION

Go to solution
Mathew Hillyard
Mega Sage
In response to ahbrook

yesterday

Hi @ahbrook 

The Incident form only requires the snc_internal role to view the Service field.

The Service Table has no explicit read ACLs OOTB. Therefore records on the parent cmdb_ci_service table will be visible.

 

However, the child Business Service and Technology Management Service tables have read ACLs that require the service_viewer role and this is indeed not inherited by itil.

 

I have confirmed this on a vanilla Zurich PDI - itil users cannot see any Business Service and Technology Management Service records.

 

So you must either add the service_viewer role to the itil role or (depending on who needs access) add a table read ACL for these tables granting the necessary role(s).

 

@AndersBGS there is no Technical Service field in the baseline platform so your screenshot looks like it is from a customised instance.

 

I hope this helps!

Mat

View solution in original post

6 REPLIES 6

Go to solution
Mathew Hillyard
Mega Sage
In response to ahbrook

yesterday

Hi @ahbrook 

The Incident form only requires the snc_internal role to view the Service field.

The Service Table has no explicit read ACLs OOTB. Therefore records on the parent cmdb_ci_service table will be visible.

 

However, the child Business Service and Technology Management Service tables have read ACLs that require the service_viewer role and this is indeed not inherited by itil.

 

I have confirmed this on a vanilla Zurich PDI - itil users cannot see any Business Service and Technology Management Service records.

 

So you must either add the service_viewer role to the itil role or (depending on who needs access) add a table read ACL for these tables granting the necessary role(s).

 

@AndersBGS there is no Technical Service field in the baseline platform so your screenshot looks like it is from a customised instance.

 

I hope this helps!

Mat

Go to solution
ahbrook
Tera Contributor
In response to Mathew Hillyard

yesterday

Thanks Mat! 

 

I did some playing and came to the same kind of conclusions. Given the CSDM realignment, I'm not entirely sure why business and technology management services require a specific role to view, but I also can't find any documentation on best practices on granting or revoking that permission, so I think it will be fine to do so.

 

I also went through the labs that @VijayaMannapura referenced, and it appears they are more demonstrative of the process than implementation. They walk you through the steps of how to create the baseline objects, and showing how they relate to each other, but they do not talk about setup. In fact, the entire time you appear to be running as the built in admin account, which can see those tables just fine. It almost implies that if a user has a CI or dynamic CI group that is associated with the service or service offering, then the option will be available. That's fine for the supporting teams, but our help desk is not associated with any particular system or service. 

 

This may be a point of confusion with the rollout of CSDM that ServiceNow needs to address. After making this thread, I found another one made recently that is essentially asking the same thing:

https://www.servicenow.com/community/creator-studio-forum/what-is-the-role-quot-service-viewer-quot/...

 

An older thread indicates this change may have happened around the New York release.

https://www.servicenow.com/community/upgrades-and-patching-forum/service-viewer-role-is-preventing-n...

 

It, in turn, references a KB article that I cannot access, but there is another one talking about how some ACL development might be needed in order to allow proper access. I'm not sure if this KB is referring to ServiceNow or customer/vendor customization. 

 

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0997137

 

Long story short... I do not know what kind of information one can access with the "service_viewer" role, but at the moment it seems fine to give this to our support staff and folks that will be making service requests and incidents. 

0 Helpfuls