Limiting access to non-IT staff to fulfill some catalog tasks

abrahams · ‎06-11-2024

We are in the planning stage of allowing other departments fulfill catalog items and working catalog tasks. We would like to restrict them to only their designated tasks and not be able to see or interact with other IT records that they didn't create themselves.

In short we would like them to maintain their current Self Service access with an added addition of being allowed to work tasks designated tasks for fulfilling items that pertain to their department.

I was thinking of maybe creating a role and ACLs to be able to work those catalog items/tasks. I would like to stay way from giving them the itil role because that gives them too much accesss. I am wondering if anyone has created and implemented such a thing and would be able and willling to share their ideas or things to look out for in our planning.

SteveMacWWT · ‎06-13-2024

I've always taken the approach that standard catalog items are for IT only, and used Scoped apps for anything outside of IT. This means I dint need to worry about all the nooks and crannies that OOB capabilities come into play.

Another thing you need to consider is your licensing. If you override the ACLs on OOB objects you will likely break your licensing. Catalog Items I believe require a fulfiller license which is predicated on the ITIL role.

Mohit Kaushik · ‎06-13-2024

Hi @abrahams,

As per your question it seems that scoped apps should be a better idea. However, if you want some users to limit access to the records created by them then you can use query BRs, in that case they will not be able to see any other record/task on that specific table which was not created by them. Hence, they can't modify it either.

Thanks,
Mohit Kaushik
ServiceNow MVP (2023-2025)