Make CMDB read only for ITIL users

Allison3
Kilo Guru

I'm wanting our ITIL users to have read-only access to the CMDB. I have a group created that will be the CMDB Admins and they should be the only ones who can edit/delete/enter CIs or alter any part of the CMDB.

Is there an easier way to do this than changing the ACLs on the ITIL role?


I know I can make the forms read-only but there are a lot of forms. I don't want to alter the ACLs because I have a select group of ITIL users who will need to be able to edit the CMDB.

9 REPLIES 9

Any ways to just give CMDB read access to itil users??


HI Team,


did we find any solution for this.


I have created a custom ACL for read only on CMDB.


but how can i add now a itil role (if i add itil role, the user have full read/write on cmdb).


Any solutions


Out of the box itil users have full CRUD access to the CMDB.   There are row level ACL's that allow this.     If you go to ACL's and create a filter for Name starts with "cmdb_ci"   AND Description starts with "asset or itil" you will see the 3 ACL's.     These allow anyone with the asset or itil role to write, delete, or create.   Modify these ACL's with your desired role.   In my case, I removed the asset and itil roles and added the ecmdb_admin role in their place.   There is a 4th OOTB ACL that allows any logged in user to read the table so, you shouldn't have to do anything with that unless that rule has been modified or deleted.   Description on the read rule is "Logged in users may read Configuration Item records".


I have done exactly this and it is still not working. I have removed the Asset and ITIL role from the 3 ACLs on the cmdb_ci table (create, delete, write) and then added a new custom role to the ACL, however I am still able to edit an existing CI as an ITIL user.  

I am unable to create or delete, but edit permissions are still not disabled.

Any suggestions? do I need an additional ACL for editing permissions on the CI? 

RWHeals
Tera Contributor

I'm having the same issue, do you remember if and how you resolved this?