Removing Configuration Item (CI) edit access for ITIL role

Ash49
Tera Contributor

OOB, ITIL role is permitted to create, read, edit, and delete Configuration Items (CI). We would like to restrict the role to read only for CI's. We understand this involves modifying OOB ACLs.

Looking for any feedback from those who have done this. Did you encounter any unforeseen issues, such as breaking of OOB provided ServiceNow features? Any input on lessons learned, things to avoid, a better way to implement is appreciated.

 

2 REPLIES 2

Sai Kumar B
Mega Sage
Mega Sage

@Ash49 

 

You can create a new ACL rule for the ITIL role with conditions and Advanced script instead of breaking OOB ACLs

 

If I could help you with my response you can mark it as helpful and correct as it benefits future viewers
Thanks,
Sai Kumar B
Community Rising Star 2023 & 2022

I don't believe it's possible to avoid modifying OOB ACLs or deactivating them and creating new ones (which amounts to modifying OOB ACL). The OOB ACLs give 'itil' role create, edit, delete access. A user having the 'itil' role will always be given edit access via those OOB ACLs, despite any new ACLS put in place.