How Restrict the Ability to Roles granted to users to update CMDB Records
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2024 08:54 PM
Hi Team .
can anyone please help me on this .
It has been found that those users who have been granted the ability to raise changes in ServiceNow also have the ability to update CMDB records including but not limited to:
Business Applications
Application Services
These records should be strictly read only with the exception of members of the IT Service Management and Ops team including Mike Hey, Smonn Mavros etc. This access for that team is provided by the ITIL role/license. The Avanade ServiceNow team are also permitted write access for their day to day roles.
As such, please ensure that these records are made read only for those people who are permissioned to raise changes. If there are any other role combinations which also provide write access to these records, please provide me with details of those so that I can review.
The plan for other who need read access to CMDB such as Service Managers is to provide the cmdb_read role. I am currently testing this in staging and once confirmed, we will look into providing this access to all required parties.
Please provide me configuration steps for this .
please provide screenshots for better understanding.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2024 10:07 PM
Hi @nameisnani ,
You can create ACLs to restrict based on roles .
Follow this thread : https://www.servicenow.com/community/cmdb-forum/what-is-the-easiest-way-to-limiting-the-edit-of-cmdb...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2024 12:27 AM
I wouldn't be adding names of people and companies working for your company to your question. But next to that, check the security analyzer to see why these users have that access. Do they have the ITIL role?
If you are already on Xanadu, use a 'deny-unless' write-ACL and set the security attribute to your groups. That will ensure that only the members of those group(s) have the ability to write those records.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
