How to Provide Read-Only Access to Incidents for Non-ITIL Managers (Nothing Worked So Far)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Community,
I am looking for guidance on a specific use case around incident access for non-ITIL users.
We have certain business managers (for example, store managers) who are not part of IT operations and therefore should not be granted the ITIL role. However, they still need the ability to:
View incidents related to their store/location.
Access form details and work notes.
In some cases, possibly update the State field only.
They should not be able to create, update, assign, or perform any other ITIL actions on incidents.
What I’ve already tried:
sn_read_only role – not sufficient, as it doesn’t allow proper access to incidents.
SNC-internal role – I don’t see this role in my instance.
Custom role with READ ACL on incident – allows viewing, but doesn’t give flexibility for state changes when needed.
Cloning/adjusting ITIL ACLs – not a preferred approach since I want to avoid altering standard ACLs tied to ITIL.
Challenge:
Despite trying the above, I still don’t have a clean solution that gives these managers view-only access (with limited state update ability) to incidents for their stores without exposing the full ITIL role.
Question:
What is the best practice approach to achieve this? Should I:
Build a custom role + ACL combination that restricts access by conditions (e.g., assignment group, location)?
Use a different out-of-the-box role (if one exists) that I may have overlooked?
Consider a reporting/dashboard-only option instead of direct form access?
If anyone has implemented a similar requirement, I’d appreciate your insights, recommendations, or even sample ACL setups.
Thanks in advance for your help!
Kasula
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @Kumar54 ,
Please follow below recommended approach as per my knowledge:
1. Assign the sn_incident_read Role
This role grants read-only access to incidents, enabling users to view incident details and work notes. It is designed for users who do not require full ITIL access. Ensure that the ITSM roles plugin is installed in your instance to access this role.
2. Create a Custom Role for Limited State Updates
To allow users to update the state field without full ITIL permissions, create a custom role (e.g., incident_state_abc). This role should include a specific Access Control List (ACL) for the incident.state field, permitting updates under controlled conditions.
3. Implement Field-Level ACLs
Configure ACLs on the incident table to restrict write access to specific fields. For instance, allow updates to the state field only for users with the incident_state_abc role. Ensure that other fields remain read only for these users.
4. Use Conditions in ACLs
Incorporate conditions within ACLs to further restrict access based on criteria such as assignment group, location, or other relevant attributes. This ensures that users can only view and update incidents pertinent to their responsibilities.
5. Avoid Modifying Standard ITIL ACLs
To maintain system integrity and avoid unintended consequences, refrain from cloning or modifying standard ITIL ACLs. Instead, create new, custom ACLs tailored to your specific requirements.
If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
