HI Team,

did we find any solution for this.

I have created a custom ACL for read only on CMDB.

but how can i add now a itil role (if i add itil role, the user have full read/write on cmdb).

Any solutions

Out of the box itil users have full CRUD access to the CMDB.   There are row level ACL's that allow this.     If you go to ACL's and create a filter for Name starts with "cmdb_ci"   AND Description starts with "asset or itil" you will see the 3 ACL's.     These allow anyone with the asset or itil role to write, delete, or create.   Modify these ACL's with your desired role.   In my case, I removed the asset and itil roles and added the ecmdb_admin role in their place.   There is a 4th OOTB ACL that allows any logged in user to read the table so, you shouldn't have to do anything with that unless that rule has been modified or deleted.   Description on the read rule is "Logged in users may read Configuration Item records".

I have done exactly this and it is still not working. I have removed the Asset and ITIL role from the 3 ACLs on the cmdb_ci table (create, delete, write) and then added a new custom role to the ACL, however I am still able to edit an existing CI as an ITIL user.  

I am unable to create or delete, but edit permissions are still not disabled.

Any suggestions? do I need an additional ACL for editing permissions on the CI? 

I'm having the same issue, do you remember if and how you resolved this?