Best Practice for Restricting CI Deletion in cmdb_ci table to All user, except ecmdb_admin or admin

Go to solution
Community Alums
Not applicable

‎04-24-2024 07:16 PM

Hi Team, 

I need to restrict CI deletion capability in the cmdb_ci table so that only users with either the ecmdb_admin role or the admin role can delete CIs from list view and Native UI. If a user has either of these roles, they should be able to delete records. If the user does not have either of these roles, they should not have access to delete records from the cmdb_ci table from list view and Native UI. What is the best practice for implementing this requirement?

0 Helpfuls
  • 850 Views
2 ACCEPTED SOLUTIONS

Go to solution
Kieran Anson
Kilo Patron

‎04-25-2024 01:37 AM

Hi Amit,

For this you will need to modify the OOB ACLs which grant delete access to asset and itil users. There are also ACLs on child CMDB tables to which you will also need to evaluate and deactivate if they don't meet your requirement.

You can then create a new delete ACL for the cmdb_ci table with the roles you've mentioned.

 

For further details and to understand how ACLs are evaluated, do please watch the following video which is a great resource

https://www.youtube.com/watch?v=x-HCp6udgWU

View solution in original post

Platform Academy Session #28 - December 8th, 2022 - Securing Records in ServiceNow
Platform Academy Session #28 - December 8th, 2022 - Securing Records in ServiceNow
youtube.com/watch?v=x-HCp6udgWU
Join us for our series of live sessions focused on platform topics like Automated Test Framework (ATF), Instance Scan, Upgrade Center, Source Control, and CICD, as well as everything Workflow Automation. This academy runs every other week, except for major holidays. We'll have product experts on ...

Go to solution
surajchacherkar
Mega Guru

‎06-11-2024 04:15 AM

Hi @Community Alums ,

agreed with Kieran Anson,

You must change the OOB ACLs that allow asset and itil users to delete data in order to accomplish this. Additionally, you will need to assess and deactivate any ACLs on child CMDB tables that do not satisfy your requirements.

After that, you may use the roles you mentioned to establish a new delete ACL for the cmdb_ci table.

 

If my response helped you, please click on "Accept as solution" and mark it as helpful.


Thanks

Suraj

View solution in original post

2 REPLIES 2

Go to solution
Kieran Anson
Kilo Patron

‎04-25-2024 01:37 AM

Hi Amit,

For this you will need to modify the OOB ACLs which grant delete access to asset and itil users. There are also ACLs on child CMDB tables to which you will also need to evaluate and deactivate if they don't meet your requirement.

You can then create a new delete ACL for the cmdb_ci table with the roles you've mentioned.

 

For further details and to understand how ACLs are evaluated, do please watch the following video which is a great resource

https://www.youtube.com/watch?v=x-HCp6udgWU

Platform Academy Session #28 - December 8th, 2022 - Securing Records in ServiceNow
Platform Academy Session #28 - December 8th, 2022 - Securing Records in ServiceNow
youtube.com/watch?v=x-HCp6udgWU
Join us for our series of live sessions focused on platform topics like Automated Test Framework (ATF), Instance Scan, Upgrade Center, Source Control, and CICD, as well as everything Workflow Automation. This academy runs every other week, except for major holidays. We'll have product experts on ...

Go to solution
surajchacherkar
Mega Guru

‎06-11-2024 04:15 AM

Hi @Community Alums ,

agreed with Kieran Anson,

You must change the OOB ACLs that allow asset and itil users to delete data in order to accomplish this. Additionally, you will need to assess and deactivate any ACLs on child CMDB tables that do not satisfy your requirements.

After that, you may use the roles you mentioned to establish a new delete ACL for the cmdb_ci table.

 

If my response helped you, please click on "Accept as solution" and mark it as helpful.


Thanks

Suraj