Normal user cannot see CMDB reference variable values in catalog item – best practice?

Hi All,

In a ServiceNow catalog item, I have reference variables pointing to:

• cmdb_ci_computer

• cmdb_ci_service

• sys_user

I observed that a normal user (no roles):

• ❌ Cannot see values for cmdb_ci_computer and cmdb_ci_service

• ✅ Can see values for sys_user

After assigning the cmdb_read role to the user, the CMDB reference variable values started displaying correctly.

My understanding is:

• sys_user is publicly readable

• CMDB tables are role-restricted, so cmdb_read is required

I want to confirm:

• Is assigning cmdb_read the correct and best-practice approach for this requirement?

• Are there any recommended alternatives (ACL-based or group-based access) for production environments?

Please share your thoughts or real-time project experience.

Thanks in advance.