sys_history_line - can we give access to non admins on certain tables

stevenwatts
Giga Contributor

‎08-01-2017 08:30 AM

Hi All,

We have a requirement to allow our SACM team to view the sys_history_line on certain fields on a table. Example:

cmdb_ci.assigned_to.

I've noticed there are ACL's in place that allow Read access however this requires the ADMIN role which we are unwilling to give out. Is there a way of setting up an ACL, or something similar, which would allow the users in that group access to the sys_history_line on just the CMDB_CI and ALM_ASSET tables?

Regards,

Steven

Labels:
0 Helpfuls
  • 2,166 Views
3 REPLIES 3

gauravchoudhury
Tera Guru

‎08-01-2017 08:37 AM

Hi Steven,



The sys_history_line table and the sys_history_set table are populated on demand when you view a record.



The sys_history_line table is on a table rotation, so records are only left on that table for 8 weeks.



The sys_audit table is the real table that tracks all of the changes as they happen, but this can be a very large table!  



You should avoid querying this table whenever possible, but if you must, you should use this URL: https://instance.service-now.com/sys_audit_list.do?sysparm_filter_only=true



Reference Thread: Link



Although that was not the answer you were looking for, maybe this would put your thoughts onto another perspective to help you achieve your need.


Pradeep Sharma
ServiceNow Employee
ServiceNow Employee

‎08-01-2017 09:01 AM

Hello Steven,



Instead of touching ACL's, I would prefer adding the field in activity formatter to track the field history.


http://wiki.servicenow.com/index.php?title=Activity_Formatter


http://wiki.servicenow.com/index.php?title=Viewing_a_Record%27s_Change_History#gsc.tab=0


Dave Smith1
ServiceNow Employee
ServiceNow Employee

‎08-01-2017 09:44 AM 

steven watts wrote:

I've noticed there are ACL's in place that allow Read access however this requires the ADMIN role which we are unwilling to give out.

Good move!


Is there a way of setting up an ACL, or something similar, which would allow the users in that group access to the sys_history_line on just the CMDB_CI and ALM_ASSET tables?

Yes. Simply add another read ACL for that table and field, locked to a specific role that the group holds.   You can also restrict down what records they can see here, too.



ACLs are "doorways" into the data. Multiple ACLs provide different ways in - ignore the one marked "admin only", create a new door.