Hi All,

We have a requirement to have owners for each CI classes (Applications, Network, Database etc). These owners should have access to edit/delete/create CIs for only those classes of which they are the owners.

For e.g Owner of Application CI Class should only be able to edit/delete/create CIs for application class and not any other class.

We have a solution where we create a group for each class (E.g CMDB App class owner) and add users to those groups. These groups will not have any role.  ACLs were created for these groups so as to restrict access to the specific class. This is working fine. But we have a conflict with existing groups and process as below.

On change management, we have a custom field 'Ownership group' which contains groups for approval and they also have the cmdb_admin role because, these groups are responsible to own the change activities and update the CI if required. The ownership groups have naming convention according to CI class. E.g for application class group will be OG 3.1, OG 3.2 and for Server class names will be OG 4.1, OG 4.2

Now the conflict is, as per the solution we proposed, if a user is part of 'CMDB App class owner' group, he will have access to edit/delete/create application CIs. But if at the same time, the user is also a part of OG 4.2 group then he is also able to edit any other CI class because he gets cmdb_admin role from the OG groups.

So need your help in resolving this conflict considering the best practices.

Shall we remove the cmdb_admin role from the OG groups and instead give this role to the CMDB admin groups created for owners?

or shall we drop the newly created groups for CI classes and use the OG groups in ACLs for restricting access? But i think this will be complicated.

or please suggest if there is any best practice for this requirement?

Thanks in advance,

Prajakta