In cmdb_ci_appl table, how to allow only the record's Support group to edit that particular record?

AbdurRahmanSnow
Giga Guru

‎08-04-2025 01:53 PM

Good morning.
On the cmdb_ci_appl table, we have lot of application records. So, only people with cmdb_admin and cmdb_manager should be able to edit the records. Apart from these, other people should only read it.
So, I have written 2 ACLs: Write operation (Form level) and List_view operation (List level), and have given these 2 roles. It is working perfectly fine.

The other requirement is to also allow "Support group" people (screenshot below) of that particular record to be able to edit it? (It can be any record.)
How can we do it, keeping in mind of the 2 ACLs, I created? Can it also be done using ACLs? Please help.
Example as below: 

AbdurRahmanSnow_1-1754340468902.png

@Ankur Bawiskar @Dr Atul G- LNG @Viraj Hudlikar 

0 Helpfuls
  • 709 Views
4 REPLIES 4

Dr Atul G- LNG
Tera Patron
Tera Patron

‎08-04-2025 02:52 PM

Hi @AbdurRahmanSnow 

 

For me, it sounds a bit contradictory. On one hand, you're saying that only the CMDB Manager or Admin can edit the record, and on the other hand, you're assigning a group that might only have the ITIL role—or something even lower.

Yet, users from that group are still able to make changes.

To me, this seems more like a role mismatch. If needed, either give them the admin or manager role, or create a new ACL. Just keep in mind:

  • Even if the group is assigned as a support group,

  • You need to check what role is actually required to make changes to that specific record type,

  • And whether that role is granted to the group in question.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

Ankur Bawiskar
Tera Patron
Tera Patron

‎08-04-2025 08:29 PM

@AbdurRahmanSnow 

you can have another table.None WRITE ACL which checks if logged in user is member of that support group using advanced script or conditions

Support Group [IS Dynamic] One of My Groups

In the roles section give snc_internal role

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ankur Bawiskar

‎08-05-2025 04:09 AM

@AbdurRahmanSnow 

Thank you for marking my response as helpful.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Viraj Hudlikar
Tera Sage

‎08-05-2025 03:45 AM

Hello @AbdurRahmanSnow 

The simplest way is to create a new write ACL on the cmdb_ci_appl table with a script that checks if the current user is a member of the "Support group" specified on the record. Same has been also mentioned by Ankur, give a try and let us know if it works or not.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

 

As per new community feature you can mark multiple responses as correct.

 

Thanks & Regards
Viraj Hudlikar.

0 Helpfuls