Hey @Tona26 how are you?

I believe You're on the right track with creating a custom role to replace sn_customerservice_agent without granting CMDB access, but the issue you're facing — blank Interaction screen in CSM Workspace, likely stems from the fact that some critical permissions or implicit dependencies are not being fully replicated when you manually deconstruct sn_customerservice_agent.

Here’s why and my suggestion how to fix it:

Why You See a Blank Page
sn_esm_agent includes more than just cmdb_read

sn_esm_agent is not just a container; it grants access to essential Workspace data models, UI elements, and actions.

By excluding sn_esm_agent, you are inadvertently removing required access to workspace components like:

interaction creation UIs

workspace-specific form/view scripts

required ACLs and modules

CSM Workspace relies on expected role chains

The blank Interaction screen suggests the agent is missing a view script, UI action, or model permission required to load the interaction form.

These are typically inherited from sn_esm_agent, sn_interaction or sn_customerservice_agent.

Duplicating role relationships ≠ duplicating behavior

Even if you've replicated the contains roles and module assignments, some functionality relies on role names (e.g., scripts checking for sn_esm_agent directly).

So removing sn_esm_agent breaks parts of the experience, even if other roles are technically present.

Recommended Solutions

Option 1: Use ACLs to Block CMDB Access (Recommended)
Instead of removing sn_esm_agent, keep the original roles but explicitly deny access to CMDB via ACLs.

Steps:

Navigate to System Security > Access Control (ACL)

Filter for: Table name STARTSWITH cmdb_ci

Create a read ACL like:

Table: cmdb_ci (and repeat for other core CMDB tables if needed)

Operation: read

Condition: !gs.hasRole('u_sn_customerservice_agent_NoCMDB')

Script: answer = false; (or build logic per your org’s policy)

Make sure this ACL takes priority over inherited cmdb_read.

This gives agents full use of the Workspace without access to CI data.

Option 2: Keep sn_customerservice_agent and Use CMDB ACL Denial Rules
You can use ACL deny logic to hide or restrict CI views even if the agent has cmdb_read, by adding:

Glide scripts like gs.hasRole('sn_customerservice_agent') && current.sys_class_name == 'cmdb_ci_server' && denyAccess();

Use GlideRecord filters in client scripts or UI Policies to suppress unwanted fields or references.

Option 3: Clone the Entire Role Stack via Plugin or Update Set (Riskier)
You can try to export the full sn_customerservice_agent role, recreate all its relationships, then surgically remove cmdb_read—but this is fragile, labor-intensive, and risks breaking future upgrades.

Not recommended unless you're building a full custom app layer.

Let me know if works,