Show all modules from CMDB_CI to itil role

Henrik Jutterst · ‎11-07-2017

I'm looking for a way to confirm that all modules found under Configuration Items ([cmdb_ci]) can be viewed by ITIL-role.

I have created some custom modules and I'm not sure what role sees what module. But I want that if a user is in the itil role they should be able to view all application modules.

Is there a way to script this?

Fig 01. Custom module not shown for users in itil role at the moment

Dave Smith1 · ‎11-07-2017

I have created some custom modules and I'm not sure what role sees what module.

This should have been a setting when you created the module:

Is there a way to script this?

Does it need to be scripted?

It's perfectly possible, but by the time the script has been designed, written and tested, you could have done it manually - scripting would only be needed if there are a large number of modules and no thought was given to security upon creation.

View solution in original post

Dave Smith1 · ‎11-07-2017

I have created some custom modules and I'm not sure what role sees what module.

This should have been a setting when you created the module:

Is there a way to script this?

Does it need to be scripted?

It's perfectly possible, but by the time the script has been designed, written and tested, you could have done it manually - scripting would only be needed if there are a large number of modules and no thought was given to security upon creation.

Henrik Jutterst · ‎11-09-2017

Hi Dave and thanks for the feedback.

I think there was a bit of change in the setup from when they were created and I just wanted to confirm that correct users would have access to the modules. initially I thought that a script would be easier but since there weren't that many modules to update (~10) it was easier to do it in the GUI, filtering on some fields.

The thing is that ServiceNow creates custom roles for a module and I didn't think of that when I created the module since I wanted these modules to be accessed from ITIL role. But as an admin I can see all the modules I created.

Dave Smith1 · ‎11-09-2017

I think there was a bit of change in the setup from when they were created and I just wanted to confirm that correct users would have access to the modules. initially I thought that a script would be easier but since there weren't that many modules to update (~10) it was easier to do it in the GUI, filtering on some fields.

Yeah - doing mass changes on a filtered list (where possible) is usually the easier way forwards. If you were talking a large number then scripting would be the quick fix.

(oddly, I wrote a background script to do exactly that - to apply a fixed set of changes for new instances I spin up!)

The thing is that ServiceNow creates custom roles for a module and I didn't think of that when I created the module since I wanted these modules to be accessed from ITIL role. But as an admin I can see all the modules I created.

This is kinda by design - any new home built automatically has a locked front door with a unique key (role). You then confer that role onto groups of people who need access - so in your case, an alternative approach would be:

build a group, add people to this group, bestow the role onto that group = those members can use that (one) particular module
as above, but add several roles to that group = all group members get to see multiple roles
add the role(s) to the itil role, meaning that ALL fulfillers get to use those apps/modules

For security reasons I would do it piecemeal, in case there are only subsets of fulfillers that need access but not all - although it's more work it builds a more maintainable model in case there are future changes that mean all itil users don't automatically get access.

Glad to hear it's all sorted now!