How would I able to create read only role or ACL to grant ITIL users to review alm_hardware records

Wyatt Fudal1 · ‎06-16-2023

I was tasked to grant ITIL users (IT Helpdesk) read access to review alm_hardware records

Manmohan K · ‎06-17-2023

To ensure that only IT Helpdesk personnel have read access to the "alm_hardware" table, it is important not to grant access to all users with the ITIL role. This is because there may be other users with the ITIL role who are not part of the Helpdesk team, and granting them access would provide them with unintended access to the "alm_hardware" table.

A more effective approach would be to create a group specifically for users who are part of the IT Helpdesk, if such a group does not already exist.

You can then create a read ACL on alm_hardware table and in the roles section add role given to the IT Helpdesk group. In the script part add below code to ensure only Helpdesk users get Read access

var answer = false;
if (gs.getUser().isMemberOf('IT Hepdesk group Name or SYS_ID')) {
    answer = true;
}

View solution in original post

Steven Parker · ‎06-16-2023

You need to elevate your role to security_admin. Do this by clicking the dropdown arrow next to your name/image in the top right and click "Elevate Roles", then check security_admin, and click Ok.

Then go to the alm_hardware table and configure it to bring up the table properties and see if any ACL's currently exist. Scroll to the bottom and in Access Controls you can make a new ACL rule OR if there is already a read role, which there may be, you can just add the ITIL role to it.

Please mark this response as correct and/or helpful if it assisted you with your question.
Steven

Wyatt Fudal1 · ‎06-16-2023

I have created the acl but how would I assign that individual user? Would it be better to create a role?

Amit Gujarathi · ‎06-16-2023

HI @Wyatt Fudal1 ,
I trust you are doing great.

I would recommend the following solution for granting ITIL users (IT Helpdesk) read access to review alm_hardware records in ServiceNow:

Create a new user role specifically for ITIL users:
- Go to the ServiceNow navigation menu and navigate to "User Administration" > "Roles".
- Click on "New" to create a new role.
- Provide a suitable name for the role, such as "ITIL User" and a description if needed.
- Save the role.
Define a new access control rule (ACL) to grant read access to the alm_hardware table for the ITIL user role:
- Navigate to "System Security" > "Access Control" > "Create New".
- Provide a name and description for the ACL, such as "Read access to alm_hardware for ITIL Users".
- Set the "Applies to" field to "alm_hardware" table.
- In the "Conditions" section, leave it blank to apply the ACL to all records in the alm_hardware table.
- In the "Script" section, use the following code:

gs.hasRole('itil')

- Save the ACL.
Assign the ITIL user role to the appropriate IT Helpdesk users:
- Go to "User Administration" > "Users".
- Search for the IT Helpdesk users and open their profiles.
- In the "Roles" related list, click on "Edit" and add the "ITIL User" role to the selected users.
- Save the user profile.

Was this answer helpful?

Please consider marking it correct or helpful.

Your feedback helps us improve!

Thank you!

Regards,

Amit Gujrathi

Manmohan K · ‎06-17-2023

Hi @Wyatt Fudal1

To ensure that only IT Helpdesk personnel have read access to the "alm_hardware" table, it is important not to grant access to all users with the ITIL role. This is because there may be other users with the ITIL role who are not part of the Helpdesk team, and granting them access would provide them with unintended access to the "alm_hardware" table.

A more effective approach would be to create a group specifically for users who are part of the IT Helpdesk, if such a group does not already exist.

You can then create a read ACL on alm_hardware table and in the roles section add role given to the IT Helpdesk group. In the script part add below code to ensure only Helpdesk users get Read access

var answer = false;
if (gs.getUser().isMemberOf('IT Hepdesk group Name or SYS_ID')) {
    answer = true;
}