What READ ACL entries are needed for the CI Relationships formatter?

Mike Moody
Kilo Guru

‎10-08-2018 08:19 AM

I'm attempting to explicitly grant visibility to the CI Relationships formatter, which is present on the CI form, to a custom role I've created. Granting READ access to the cmdb_rel_ci table, does not appear to be enough to achieve this. Using an out of box role is not an option in my use case, unless that role explicitly grants sole read-access to this formatter only. Does anyone know what additional tables require read access to make this work, or if it is possible? Thanks!

Labels:
0 Helpfuls
  • 1,409 Views
9 REPLIES 9

Allen Andreas
Administrator
Administrator

‎10-08-2018 08:59 AM

Hi,

From everything I've read and see, it is managed by that table.

Have you tried to do debug security to see what is preventing it from showing?

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Mark Stanger
Giga Sage

‎10-08-2018 09:03 AM

This code is back-ended so it’s going to be hard to pin down exactly, but here are the components I see...

1) cmdb_rel_ci - Because this is a m2m table you’re essentially creating, deleting, and writing to this table as well.  I’d start by granting access for all of those operations on this table.

2) CI relation types (read)

3) CI relation roll ups (read)

4) Suggested relationships (read)

5) cmdb_ci (read)

I’m not sure if this will work or not (out-of-box you need the ‘itil’ or ‘asset’ roles to do this) but you would need all of these permissions I would think at a minimum to do this.

 

0 Helpfuls

Mark Stanger
Giga Sage
In response to Mark Stanger

‎10-08-2018 09:05 AM

Might also just try manually navigating to the ‘cmdb_rel_ci’ table as that user to try and create/delete/modify some of those before you even access the editor.  That will probably be easier to isolate the individual components before adding the extra complexity of that unique UI layer.

0 Helpfuls

hunter_phillips
Tera Contributor

‎09-15-2020 10:35 AM

I tried all the ACLs mentioned by Mark and then some, to no avail.

Only way I was able to work around this was by adding the cmdb_read role to the users/custom role. None of the other ACLs are needed in this case.

Can also add the dependency_views role if needed to view the dependency map.

FWIW, I don't believe cmdb_read counts as a licensed role, but you may want to consult your account representative.

0 Helpfuls