Impact of removing OOB Role for ITIL Users on CMDB Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2024 04:07 AM
I need to remove the out-of-the-box (OOB) role for ITIL users to restrict them from making changes to CMDB tables, allowing only read access & how. What potential impacts could occur, aside from issues during upgrades?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2024 06:45 AM
Hi @Santosh Prasad,
Whilst the high level question and concern re changing OOB functionality is something to be assessed when performing upgrades, it is important to note that ServiceNow is a framework and it is and it is safe to be customised for your needs.
That said, to address your specific question re preventing itil users from write access to CMDB records - there's 2 areas to address that, either update/edit the ACLs (Access controls that run server side to enforce security), or remove roles from users.
Referencing an OOB instance, you'll notice the itil role also contains other roles - and for your use case, the sn_change_write role which provides write access.
However, even if you were to remove this role from the itil role, a user with itil can still edit cmdb records so removing this role won't be suitable.
To verify this, elevate your roles as an admin to security admin and then view the ACL's.
Type 'Access Control' into the Navigation menu and click on the link. From here in the filter the results so that name = cmdb_ci and operation = write.
OOB there's 3 ACLs. 1 of these ACLs stipulates that users with the itil role provides write access. Another stipulates that users with sn_change_write have write access.
(Please note, there are a ton of other ACL's on the ci tables but the base ACL's are as referenced)
To keep things simple, you can inactivate these as a baseline if you will and from here you can then look to provide access to cmdb records appropriate such as ci owner/managed by, managed by groups and roles such as cmdb admins and cmdb managers or editor roles etc
With regards to potential impacts.... from an upgrade perspective, this shouldn't really come into play unless you have certain plugins enabled, but even then, your org policy to who should have access should be governed by you, not a generic ServiceNow perspective. These reviews on upgrade should always be reviewed.
The only other impact would be the obvious which is simply - who has write access to ci (cmdb) records. Worse case, as everyone is accessing the records becuase they have itil isn't suitable, so you'd need to review who should have access and adjust or create new ACL's appropriately.
Hopefully this makes sense and gives you a clear picture.
To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.
Thanks, Robbie
