In cmdb_ci_appl table, how to allow only the record's Support group to edit that particular record?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2025 01:53 PM
Good morning.
On the cmdb_ci_appl table, we have lot of application records. So, only people with cmdb_admin and cmdb_manager should be able to edit the records. Apart from these, other people should only read it.
So, I have written 2 ACLs: Write operation (Form level) and List_view operation (List level), and have given these 2 roles. It is working perfectly fine.
The other requirement is to also allow "Support group" people (screenshot below) of that particular record to be able to edit it? (It can be any record.)
How can we do it, keeping in mind of the 2 ACLs, I created? Can it also be done using ACLs? Please help.
Example as below:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2025 02:52 PM
For me, it sounds a bit contradictory. On one hand, you're saying that only the CMDB Manager or Admin can edit the record, and on the other hand, you're assigning a group that might only have the ITIL role—or something even lower.
Yet, users from that group are still able to make changes.
To me, this seems more like a role mismatch. If needed, either give them the admin or manager role, or create a new ACL. Just keep in mind:
-
Even if the group is assigned as a support group,
-
You need to check what role is actually required to make changes to that specific record type,
-
And whether that role is granted to the group in question.
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2025 08:29 PM
you can have another table.None WRITE ACL which checks if logged in user is member of that support group using advanced script or conditions
Support Group [IS Dynamic] One of My Groups
In the roles section give snc_internal role
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-05-2025 04:09 AM
Thank you for marking my response as helpful.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-05-2025 03:45 AM
Hello @AbdurRahmanSnow
The simplest way is to create a new write ACL on the cmdb_ci_appl table with a script that checks if the current user is a member of the "Support group" specified on the record. Same has been also mentioned by Ankur, give a try and let us know if it works or not.
If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.
As per new community feature you can mark multiple responses as correct.
Thanks & Regards
Viraj Hudlikar.