Normal user cannot see CMDB reference variable values in catalog item – best practice?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hi All,
In a ServiceNow catalog item, I have reference variables pointing to:
cmdb_ci_computer
cmdb_ci_service
sys_user
I observed that a normal user (no roles):
❌ Cannot see values for cmdb_ci_computer and cmdb_ci_service
✅ Can see values for sys_user
After assigning the cmdb_read role to the user, the CMDB reference variable values started displaying correctly.
My understanding is:
sys_user is publicly readable
CMDB tables are role-restricted, so cmdb_read is required
I want to confirm:
Is assigning cmdb_read the correct and best-practice approach for this requirement?
Are there any recommended alternatives (ACL-based or group-based access) for production environments?
Please share your thoughts or real-time project experience.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5m ago
Hi @Kishore47 ,
Yes, your understanding is correct
sys_user
Publicly readable
Normal users can see reference values without any role
CMDB tables (cmdb_ci_*)
Protected by ACLs
Normal users cannot read CIs
Hence reference variables appear empty
Assigning cmdb_read
✅ Works as expected
✅ Commonly used solution
⚠️ Grants read access to the entire CMDB (can be too broad)
Best-practice recommendations:
Prefer custom read ACLs on required CI classes only
Or create a custom role (instead of full cmdb_read) and assign it to relevant users/groups
Always use reference qualifiers to limit visible CIs (e.g., operational, owned by user, etc.)
Conclusion:
cmdb_read is technically correct
For production, least-privilege access via ACLs + qualifiers is recommended
If you find this as helpful, please mark it as helpful and please accept my solution...
Best Regards
SIVASANKARI S
