Employee Roles for ESC Portal

LiamO
Tera Contributor

Hello! 

 

We are in the process of cleaning up our users and it has been noticed that the previous team responsible for Snow were manually adding the cmdb_read role to each employee so they could see reference fields while logging tickets.

 

We've been trying to find the best practices for end user employees who will only use the ESC Portal to log tickets and requests. 

 

We are looking at creating a group that has the cmdb_read role and then adding in all our current employees but if there is a better way any assistance/guidance would be greatly appreciated! 

 

Liam

 

4 REPLIES 4

Chavan AP
Tera Guru

Screenshot 2025-09-08 at 02.53.44.png

 

If you enable this ACL on the cmdb_ci table, you no longer need to add the cmdb_read role. All authenticated users will be able to view it. 

 

If you don’t want to enable it, As per best practice - simply create a separate group named “CMDB Read Group.” Assign the “cmdb_read” role to this group and add the users you want to grant access to.

 

Glad I could help! If this solved your issue, please mark it as Helpful and Accept as Solution so others can benefit too.*****Chavan A.P. | Technical Architect | Certified Professional*****

@LiamO - did you get a chance to check?

Glad I could help! If this solved your issue, please mark it as Helpful and Accept as Solution so others can benefit too.*****Chavan A.P. | Technical Architect | Certified Professional*****

Bhuvan
Kilo Patron

@LiamO 

 

You have 2 options.

 

1. If you want to give blanket permission to a role, do it in ACL. cmdb_read role and service_viewer role has CMDB read permissions by default and there is an inactive ACL that can allow authenticated OR roleless users access to cmdb read permissions. Recommend you to not follow this as it is not best practices from security standpoint

 

Bhuvan_0-1757296989091.png

Bhuvan_1-1757297041085.png

 

2. Create a group and add users that needs access to this group and add cmdb_read role to the group

 

As per community guidelines, you can accept more than one answer as accepted solution. If my response helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

Nikhil Bajaj9
Giga Sage

Hi @LiamO ,

 

As per best practice of the Servicenow - We should try to achieve everything with configurations not be coding so creating a group for users with teh required role is a better way rather then doing it with any ACL or scripting. Create a group- add only relevant members to that group and provide relevant role to that group is simple and correct way.

 

Please appreciate my efforts, help and support extended to you by clicking on – “Accept as Solution”; button under my answer. It will motivate me to help others as well.
Regards,
Nikhil Bajaj