How to make Configuration Items read only to non-Admins

Go to solution
bostonsnow
Kilo Guru

‎10-16-2017 08:27 AM

Hello all,

It appears as though the out of the box SNOW configuration allows all users with the Itil role to be able to create, edit and delete Configuration Items in SNOW.

I would like to change this so that:

        1. Itil users have read only access.

        2. Only users with the admin role can create, edit and delete CI's.

I updated the following ACL's replacing "itil" with "admin". However, when I tested this, Itil users are still able to create, edit and delete CI's. What am I missing?

Name                                                             Operation

task_cmdb_ci_service               create

task_cmdb_ci_service               delete

task_cmdb_ci_service               write

Thanks!

Mike

Labels:
0 Helpfuls
  • 3,950 Views
1 ACCEPTED SOLUTION

Go to solution
randrews
Tera Guru

‎10-16-2017 08:30 AM

ok this is pretty easy to accomplish via a write role on the cmdb_ci table... just disable the existing write role on cmdb_ci. blank   and create a new one with the only role being admin and no script.



personally what i would do is create a new role cmdb_ci_edit... and add that role to the list of roles in the write acl.. this will allow you to give this role to groups/individuals that SHOULD be able to write/create ci's... server ops etc.


View solution in original post

4 REPLIES 4

Go to solution
Deepak Kumar5
Kilo Sage

‎10-16-2017 08:29 AM

Check and modify cmdb_ci table access


0 Helpfuls

Go to solution
randrews
Tera Guru

‎10-16-2017 08:30 AM

ok this is pretty easy to accomplish via a write role on the cmdb_ci table... just disable the existing write role on cmdb_ci. blank   and create a new one with the only role being admin and no script.



personally what i would do is create a new role cmdb_ci_edit... and add that role to the list of roles in the write acl.. this will allow you to give this role to groups/individuals that SHOULD be able to write/create ci's... server ops etc.


Go to solution
bostonsnow
Kilo Guru

‎10-16-2017 08:48 AM

Hello, thank you both for your quick replies!



@Raymond: Just did what you suggested and it is now working, thanks! One question: should I backout the task_cmdb_ci_service ACL changes I made originally?


0 Helpfuls

Go to solution
randrews
Tera Guru
In response to bostonsnow

‎10-16-2017 10:36 AM

i would eventually give it a few days to validate you ddin't break anyone you didn't intend on breaking


inactivated it has no affect... but i like to clean em up after a few weeks


0 Helpfuls