question Re: Selective access to CI's in the CMDB in CMDB forum

Selective access to CI's in the CMDB

Frank70 — Mon, 11 Mar 2024 16:38:09 GMT

A customer is trying to only give edit/update rights to the users that own certain ci's.

Is there a way to do this ?

I tried to create an ACL on the cmdb_ci table based on the ownership of the CI's but the write access doesn't seem to work.

Re: Selective access to CI's in the CMDB

Ashok Sasidhara — Mon, 11 Mar 2024 17:34:35 GMT

If your objective is to give write access rights to users who are owners of certain CI classes, it is better to avoid creating ACLs on cmdb_ci. The ACLs should be configured for the specific CI classes which they own (like server class, network gear class etc.)

Re: Selective access to CI's in the CMDB

CMDB Whisperer — Mon, 11 Mar 2024 17:48:58 GMT

In a nutshell you would use scripted ACLs that would provide access based on whether the User is specified in a User field like Assigned to, or a is a member of a Group that is specified in a Group field like Support group. However, please note that this is an oversimplified recommendation and in reality you will find there are subtleties involved here that will likely impede users from doing normal activity on a CI that they should be able to do, and that this may even vary on a field-by-field basis. Most importantly, always test access controls rigorously for functionality, usability, and performance before you put it into Production!

Re: Selective access to CI's in the CMDB

AJ_TechTrek — Tue, 12 Mar 2024 09:51:34 GMT

Hi @Frank70 ,

That ACL on CMDB_CI, will not help, you need to use the Scripted ACL based on their roles and group, It will help to achieve this.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thanks

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

ServiceNow Community Rising Star 2024