How to Provide Read-Only Access to Incidents for Non-ITIL Managers (Nothing Worked So Far)

Kumar54 · yesterday

Hi Community,

I am looking for guidance on a specific use case around incident access for non-ITIL users.

We have certain business managers (for example, store managers) who are not part of IT operations and therefore should not be granted the ITIL role. However, they still need the ability to:

View incidents related to their store/location.

Access form details and work notes.

In some cases, possibly update the State field only.

They should not be able to create, update, assign, or perform any other ITIL actions on incidents.

What I’ve already tried:
sn_read_only role – not sufficient, as it doesn’t allow proper access to incidents.

SNC-internal role – I don’t see this role in my instance.

Custom role with READ ACL on incident – allows viewing, but doesn’t give flexibility for state changes when needed.

Cloning/adjusting ITIL ACLs – not a preferred approach since I want to avoid altering standard ACLs tied to ITIL.

Challenge:
Despite trying the above, I still don’t have a clean solution that gives these managers view-only access (with limited state update ability) to incidents for their stores without exposing the full ITIL role.

Question:
What is the best practice approach to achieve this? Should I:

Build a custom role + ACL combination that restricts access by conditions (e.g., assignment group, location)?

Use a different out-of-the-box role (if one exists) that I may have overlooked?

Consider a reporting/dashboard-only option instead of direct form access?

If anyone has implemented a similar requirement, I’d appreciate your insights, recommendations, or even sample ACL setups.

Thanks in advance for your help!
Kasula

kaushal_snow · yesterday

Hi @Kumar54 ,

Please follow below recommended approach as per my knowledge:

1. Assign the sn_incident_read Role

This role grants read-only access to incidents, enabling users to view incident details and work notes. It is designed for users who do not require full ITIL access. Ensure that the ITSM roles plugin is installed in your instance to access this role.

2. Create a Custom Role for Limited State Updates

To allow users to update the state field without full ITIL permissions, create a custom role (e.g., incident_state_abc). This role should include a specific Access Control List (ACL) for the incident.state field, permitting updates under controlled conditions.

3. Implement Field-Level ACLs

Configure ACLs on the incident table to restrict write access to specific fields. For instance, allow updates to the state field only for users with the incident_state_abc role. Ensure that other fields remain read only for these users.

4. Use Conditions in ACLs

Incorporate conditions within ACLs to further restrict access based on criteria such as assignment group, location, or other relevant attributes. This ensures that users can only view and update incidents pertinent to their responsibilities.

5. Avoid Modifying Standard ITIL ACLs

To maintain system integrity and avoid unintended consequences, refrain from cloning or modifying standard ITIL ACLs. Instead, create new, custom ACLs tailored to your specific requirements.

If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.

Thanks and Regards,
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/

Rafael Batistot · yesterday

Hi @Kumar54

Add a snc_read_only role

The read-only role and how to use it - Support and Troubleshooting

https://www.servicenow.com/community/incident-management-forum/how-to-provide-read-only-access-to-in...