READ ONLY role

Go to solution
MThomas1
Tera Expert

3 hours ago

Hello,

 

what is the role required to READ tables ( Incident/Problem/Change/CMDB etc)? Tried  snc_read_only but not getting the expected results , when trying to find Incident table from NAV BAR filter, it is not available. 

 

Thank you.

0 Helpfuls
  • 167 Views
3 ACCEPTED SOLUTIONS

Go to solution
Naveen20
ServiceNow Employee

3 hours ago

The snc_read_only grants table-level read ACLs but it does not grant access to the application menus and navigation modules. That's why the Incident table doesn't show up in your nav bar filter even though you technically have read permission on the underlying table.

There are two layers at play here:

1. Table ACL (read access to records)snc_read_only covers this broadly.

2. Application Menu / Module visibility (nav bar entries) — These are controlled by roles assigned on the sys_app_module records. Each navigation module (like "Incident > All") has a "Roles" field that determines who can see it.

For the standard ITSM tables, the modules are gated behind the itil role. That's why snc_read_only alone won't surface them in the navigator.

What you can do depends on your goal:

If you want read-only access with nav visibility, the cleanest approach is to combine snc_read_only with one of these strategies:

  • Grant itil role — This is the simplest fix and gives nav access to Incident, Problem, Change, etc. The downside is that itil also grants write access, so you'd need to layer on table-level ACL restrictions or use a read-only variant if available.

  • Use module-specific read roles (available in newer releases like Xanadu/Yokohama/Zurich): sn_incident_read, sn_change_read, sn_problem_read. These grant both table read ACLs and navigation module visibility without write permissions.

  • Create a custom role that inherits snc_read_only and is manually added to the relevant sys_app_module records' Roles field. This gives you fine-grained control.

 

verification: Navigate to sys_app_module.list, filter where Name = "All" and Application = "Incident", and check the Roles field — you'll see exactly which role is required for that nav entry to appear. That's the missing piece snc_read_only doesn't cover.

If you just need a quick way to access the table without the nav module, you can always type incident.list directly in the nav bar filter — that bypasses module visibility and only checks table-level ACLs, which snc_read_only should satisfy.

View solution in original post

Go to solution
Tanushree Maiti
Kilo Patron

3 hours ago - last edited 3 hours ago

Hi @MThomas1 

 

You’re probably unable to see the Incident table in the navigation bar because the user doesn’t have the required base ITIL role or the necessary read access (ACLs) for those tables.

 

Check that- and give/have required access-> It will work.

 

Refer: KB0748343 The read-only role and how to use it \

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

View solution in original post

Go to solution
Purvi Kotadiya
Tera Contributor

3 hours ago

snc_read_only is a global safety role that prevents create, update, and delete actions across the platform.
It does NOT grant access to any application tables (Incident, Problem, Change, CMDB, etc.), which is why it’s not sufficient on its own.

- To actually see records, you must add table‑specific read roles, optionally combined with snc_read_only for safety.

Common read‑only roles:

  • Incident → sn_incident_read
  • Problem → sn_problem_read
  • Change → sn_change_read
  • CMDB → cmdb_read
  • snc_read_only (optional safety net)

View solution in original post

4 REPLIES 4

Go to solution
Naveen20
ServiceNow Employee

3 hours ago

The snc_read_only grants table-level read ACLs but it does not grant access to the application menus and navigation modules. That's why the Incident table doesn't show up in your nav bar filter even though you technically have read permission on the underlying table.

There are two layers at play here:

1. Table ACL (read access to records)snc_read_only covers this broadly.

2. Application Menu / Module visibility (nav bar entries) — These are controlled by roles assigned on the sys_app_module records. Each navigation module (like "Incident > All") has a "Roles" field that determines who can see it.

For the standard ITSM tables, the modules are gated behind the itil role. That's why snc_read_only alone won't surface them in the navigator.

What you can do depends on your goal:

If you want read-only access with nav visibility, the cleanest approach is to combine snc_read_only with one of these strategies:

  • Grant itil role — This is the simplest fix and gives nav access to Incident, Problem, Change, etc. The downside is that itil also grants write access, so you'd need to layer on table-level ACL restrictions or use a read-only variant if available.

  • Use module-specific read roles (available in newer releases like Xanadu/Yokohama/Zurich): sn_incident_read, sn_change_read, sn_problem_read. These grant both table read ACLs and navigation module visibility without write permissions.

  • Create a custom role that inherits snc_read_only and is manually added to the relevant sys_app_module records' Roles field. This gives you fine-grained control.

 

verification: Navigate to sys_app_module.list, filter where Name = "All" and Application = "Incident", and check the Roles field — you'll see exactly which role is required for that nav entry to appear. That's the missing piece snc_read_only doesn't cover.

If you just need a quick way to access the table without the nav module, you can always type incident.list directly in the nav bar filter — that bypasses module visibility and only checks table-level ACLs, which snc_read_only should satisfy.

Go to solution
Tanushree Maiti
Kilo Patron

3 hours ago - last edited 3 hours ago

Hi @MThomas1 

 

You’re probably unable to see the Incident table in the navigation bar because the user doesn’t have the required base ITIL role or the necessary read access (ACLs) for those tables.

 

Check that- and give/have required access-> It will work.

 

Refer: KB0748343 The read-only role and how to use it \

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Go to solution
Purvi Kotadiya
Tera Contributor

3 hours ago

snc_read_only is a global safety role that prevents create, update, and delete actions across the platform.
It does NOT grant access to any application tables (Incident, Problem, Change, CMDB, etc.), which is why it’s not sufficient on its own.

- To actually see records, you must add table‑specific read roles, optionally combined with snc_read_only for safety.

Common read‑only roles:

  • Incident → sn_incident_read
  • Problem → sn_problem_read
  • Change → sn_change_read
  • CMDB → cmdb_read
  • snc_read_only (optional safety net)

Go to solution
MThomas1
Tera Expert

2 hours ago

Thank you all and appreciate your support and guideance with detailed explanation.

0 Helpfuls