CMDB relationship manager permission through ACL

cyked
Mega Guru

Is there a way to display the green + relationship editor icon on a CI form via ACL or other manner?   We've implemented ACLs on cmdb Tables to prevent unauthorized updates/creates on the CMDB tables, only members of the support group and a few other roles (managed by, owned by, etc) have edit access.   We have create ACLs for "super use groups".   However, if you don't meet the requirement to edit access to the CI you do not see the green + relationship editor Icon on a CI form.   As such we'd like to allow certain groups to add/edit relationships but not edit the CI.

5 REPLIES 5

drjohnchun
Tera Guru

CMDB relationships are in the cmdb_rel_ci table, so you can set ACL for relationships separate from the CI tables.



Hope this helps.



Please feel free to connect, follow, mark helpful / answer, like, endorse.


John Chun, PhD PMP see John's LinkedIn profile

visit snowaid


ServiceNow Advocate

Winner of November 2016 Members' Choice Award


I John, thanks for chiming in.   This isn't an ACL issue with the relationship table.   While users are not presented a nav pane listing to the table they can access it and create relationships.   This is a view issue that if you do not "pass the ACL rules" for write access to a CMDB table you do not see the relationship editor icon on the CI form.   All ITIL users can write to cmdb_rel_ci without issue.


Hi Drew, thanks for the explanation - now I understand better.



That's CI Relations Formatter and it's defined in System UI > Formatters. Unfortunately, the underlying UI Macro "ci_relattions" is hardcoded, according toCannot locate "ci_relations.xml" formatter under UI Macro table, and unavailable for editing; That means you won't be able to edit the Jelly script to show the Add Relationships button.



The CI Relations Formatter has some sys_properties (look for name=*ecmdb) but none of them will allow the Add Relationships button to show for users with no create/update permissions to cmdb_ci.



Sorry, couldn't help much.



John


how do you check if for example , microsoft iis webserver is running on windows server , is there an attribute on either webserver table or windows server table to say that they are related or relationships exists on their ci tables cmdb_ci_win_Server or cmdb_ci_microsfot_webserver without going to cmdb_rel_ci ?