Best way to limit who can delete assets and CIs?

Antti Luusua · ‎11-25-2020

Hello again SNow community,

what would be the best way to achieve the following functionality:

I want my organizations IT support personnel to be able to access Hardware Assets. I want them to be able to read and modify current assets, for example set the assigned to, state and location. They must not be able to delete assets and CIs, that should only be done by admins. However they must be able to set state to retired for example.

One way would be to take the OOB asset role and take away delete permissions, I guess? But should I instead create a new custom role and what are all the permissions I need to grant to that role?

Thank you in advance!

Martin Ivanov · ‎11-30-2020

If you navigate to System UI - UI actions and search for "delete asset only" you will find that this UI action is displayed to users with the role 'asset'. You can disable/deactivate this UI action or change the display conditions - e.g. set "admin" role insted of asset or whatever is usefull in your case.

Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!
Martin Ivanov
ServiceNow MVP 2023, 2024

View solution in original post

Martin Ivanov · ‎11-25-2020

Hi. There is an ACL which is giving rights to delete records from the cmdb_ci table if the user has role asset or itil. You can deactivate this ACL, create a new one which must be the same, with the only difference in the roles - add 'admin' instead of 'asset' and 'itil'.

Please mark as Correct if this helps you find the solution you need. Thanks.

Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!
Martin Ivanov
ServiceNow MVP 2023, 2024

Antti Luusua · ‎11-27-2020

Thank you Martin for the advice. I did what you suggested and also made the same changes to alm_asset and now regular asset users cannot see the delete button in the form and cannot delete CIs. However, they still can use the "Delete asset only" button found on the asset form. I have not yet figured out why this is the case and how would I disable that.

I marked your answer Helpful, did not mark it as correct answer since they still can delete assets. But definitely a step towards the right direction!

Martin Ivanov · ‎11-30-2020

If you navigate to System UI - UI actions and search for "delete asset only" you will find that this UI action is displayed to users with the role 'asset'. You can disable/deactivate this UI action or change the display conditions - e.g. set "admin" role insted of asset or whatever is usefull in your case.

Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!
Martin Ivanov
ServiceNow MVP 2023, 2024

Antti Luusua · ‎12-03-2020

Thank you Martin, this was just what I wanted. I marked your answer as correct. Have a nice day!