How to give access to view table schemas without making user an admin

TrenaFritsche · ‎09-25-2017

Is there a way to give access to Show Schema to non-admins? I tried to create a custom module that lists table names and has the a button to use a UI Action that the Show Schema Map link on the table page uses thinking that I can give certain people the role that this new page has. When I use it, it works fine, but when I impersonate that person who would use it, it displays the page, but does not show any tables. Any thoughts on how to enable a graphic view of the table schema without providing admin access?

apjohn2 · ‎11-21-2018

I just had this question come up for me in my company. An IT Networking manager for some reason decided to get trained up in using Tableau, apparently with the exclusive point to get data out of servicenow into Tableau for reporting reasons. As a result he asked me for access to view all table schema. I'm not about to give him full admin rights, so this was how I solved it:

Logged into our dev instance w/ full admin
Created a new user, which I named 'roadmin' (as in read-only admin)
Added two roles to this user: admin and snc_read_only
In a separate browser, logged into our dev instance as 'roadmin'
Verified I could see everything an admin can see, including all tables, schema, etc., but I could not edit any record on any table, anywhere

More about the snc_read_only role can be found here.

I hope this helps someone. Thank you.

View solution in original post

Dave Smith1 · ‎09-25-2017

That's going to be somewhat tricky - generally data schemas contain structural information about the data content and revealing them to unprivileged parties could be violating confidentially policies.

What you're in effect asking is: can someone have a DBA view without giving them DBA access rights?

What would be the reasoning behind this? Do you want to provide read-only views to developers?

TrenaFritsche · ‎09-25-2017

I am really after giving our ITIL Process Engineers read only access to this so they can just see the schema of the tables.

Michael Ritchie · ‎09-25-2017

The schema map will be hard to make available. There is a personalize_dictionary role that allows access without full admin, but this role also allows write access so they could add and update fields.

Do they require the schema map view? You could create a read ACL on the sys_dictionary table and allow them to view the attributes of a table. This will be in a list format instead of the hierarchy view.

Dave Smith1 · ‎09-25-2017

Do they require the schema map view? You could create a read ACL on the sys_dictionary table and allow them to view the attributes of a table. This will be in a list format instead of the hierarchy view.

I got the impression they would, so creating a new role then permitting specific granular access using ACLs would be my approach, too.