Normal user (no roles) cannot see cmdb_ci_service reference values in catalog form

Go to solution
ChK85808602
Mega Contributor

3 weeks ago

Hi Team,

I’m facing an issue with a Service Catalog reference field.

Issue:
A normal end user (no additional roles like itil) is not able to see any records in a reference field pointing to cmdb_ci_service on a catalog form.
The field is visible, but when the user clicks the lookup icon, no values are returned.

Admins can see the values without any issue.

 

I understand this might be due to ACL restrictions on the cmdb_ci_service table, but I’m not able to configure the ACLs correctly.

Request:
If possible, can someone please share the step-by-step process to create the required ACLs?


Thanks in advance!

0 Helpfuls
  • 214 Views
1 ACCEPTED SOLUTION

Go to solution
Nayan ArchX
Tera Guru

3 weeks ago - last edited 3 weeks ago

 

You’re exactly right — this behavior is ACL-related, and it’s a very common ServiceNow gotcha with CMDB reference fields on catalog items.

Below is a clear, step-by-step way to fix it safely without overexposing CMDB data.

 

Why this happens (quick context)

  • The lookup icon on a reference field performs a read on the referenced table (cmdb_ci_service)

  • End users usually do not have read access to CMDB tables

  • Admins bypass ACLs → they see records

  • Catalog context does NOT bypass table ACLs

So we must allow controlled read access.

 

Recommended Fix (Best Practice)

Step 1: Identify the exact table

  • Table: cmdb_ci_service

Step 2: Create a Table-level READ ACL

  1. Navigate to:
    System Security → Access Control (ACL)

  2. Click New

  3. Configure:

    • Type: record

    • Operation: read

    • Name: cmdb_ci_service

    • Active: ✔️

Step 3: Add a Condition (IMPORTANT)

To avoid exposing all services:

 
Operational status = Operational

(or your org’s equivalent field)

Step 4: Add a Role condition

Option 1 (recommended):

  • Add role: snc_internal
    (all internal users have this role)

Option 2 (more restrictive):

  • Create a custom role, e.g. catalog_cmdb_reader

  • Assign it only to allowed users

Step 5: (Optional but safer) Add a Script condition

If you want catalog-only access:

 
answer = gs.getSession().isInteractive();

Or catalog-specific:

 

 
answer = gs.getSession().getClientIP() != null;

(Use only if your governance requires it.)

 

⚠️VERY IMPORTANT: Field-level ACLs

Even with table read access, field ACLs can still block results.

Check these fields:

  • name

  • sys_id

  • operational_status

Ensure no restrictive read ACLs exist on these fields.

 

Validation Steps

  1. Impersonate a normal end user

  2. Open the catalog item

  3. Click the reference lookup

  4. Records should now appear

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

 

Thanks

Nayan Patel

IT ServiceNow Consult, ServiceNow ArchX

If my response has resolved your query, please mark it Helpful by giving it a thumbs up and accept the solution.

View solution in original post

1 REPLY 1

Go to solution
Nayan ArchX
Tera Guru

3 weeks ago - last edited 3 weeks ago

 

You’re exactly right — this behavior is ACL-related, and it’s a very common ServiceNow gotcha with CMDB reference fields on catalog items.

Below is a clear, step-by-step way to fix it safely without overexposing CMDB data.

 

Why this happens (quick context)

  • The lookup icon on a reference field performs a read on the referenced table (cmdb_ci_service)

  • End users usually do not have read access to CMDB tables

  • Admins bypass ACLs → they see records

  • Catalog context does NOT bypass table ACLs

So we must allow controlled read access.

 

Recommended Fix (Best Practice)

Step 1: Identify the exact table

  • Table: cmdb_ci_service

Step 2: Create a Table-level READ ACL

  1. Navigate to:
    System Security → Access Control (ACL)

  2. Click New

  3. Configure:

    • Type: record

    • Operation: read

    • Name: cmdb_ci_service

    • Active: ✔️

Step 3: Add a Condition (IMPORTANT)

To avoid exposing all services:

 
Operational status = Operational

(or your org’s equivalent field)

Step 4: Add a Role condition

Option 1 (recommended):

  • Add role: snc_internal
    (all internal users have this role)

Option 2 (more restrictive):

  • Create a custom role, e.g. catalog_cmdb_reader

  • Assign it only to allowed users

Step 5: (Optional but safer) Add a Script condition

If you want catalog-only access:

 
answer = gs.getSession().isInteractive();

Or catalog-specific:

 

 
answer = gs.getSession().getClientIP() != null;

(Use only if your governance requires it.)

 

⚠️VERY IMPORTANT: Field-level ACLs

Even with table read access, field ACLs can still block results.

Check these fields:

  • name

  • sys_id

  • operational_status

Ensure no restrictive read ACLs exist on these fields.

 

Validation Steps

  1. Impersonate a normal end user

  2. Open the catalog item

  3. Click the reference lookup

  4. Records should now appear

If my response has resolved your query, please consider giving it a thumbs up ‌‌ and marking it as the correct answer‌‌!

 

Thanks

Nayan Patel

IT ServiceNow Consult, ServiceNow ArchX

If my response has resolved your query, please mark it Helpful by giving it a thumbs up and accept the solution.