Users with Specific Roles or Managed Group have access to Create, Update and Delete CI Relationships

KoyaJ · 2 hours ago

I have a requirement where users who either have specific roles (u_cmdb_mgmt, asset) or are members of a CI's managed group should be able to create, update, and delete CI relationships in the CMDB.

I've implemented a script that checks for these conditions and enables the relationship (+) button on the CI form. However, when I try to create and submit a new relationship, I receives an error "User not authorized to add relationships"

Here’s what I’ve done so far:

Script checks if the user has the required roles or is part of the CI’s managed group.
The (+) button appears as expected.
Error occurs when submitting the relationship.

My question:
What additional permissions or ACL configurations are needed to allow these users to create, update, and delete CI relationships? Is there something I’m missing in the script or in the ServiceNow configuration?

Script:

(function() {

if (gs.hasRole('u_cmdb_mgmt') || gs.hasRole('asset')) {

answer = true;

}

var userID = gs.getUserID();

answer = isUserInManagedGroup(current.parent);

function isUserInManagedGroup(ciSysId) {

var ci = new GlideRecord('cmdb_ci');

if (ci.get(ciSysId) && ci.managed_by_group) {

var groupMember = new GlideRecord('sys_user_grmember');

groupMember.addQuery('group', ci.managed_by_group);

groupMember.addQuery('user', userID);

groupMember.query();

if (groupMember.hasNext()) {

return true;

}

return false;

}

Nehal Dhuri · 2 hours ago

Is this error occurring for an admin user, or could you please confirm the role of the user facing this issue?

Please hit like and mark my response as correct if that helps

KoyaJ · an hour ago

As an admin, I am able to add and save relationships. Users with the specified roles, as well as users who are part of the CI's managed group, can see the relationship button. However, when they try to save a relationship, an error is displayed.

Nehal Dhuri · an hour ago

So you need to check which role has create update delete permission and that role should be given to user so that they can update the relationship or you need to add your custom role to the ACL of relationship table so that user with that role can add or update the relationship record

Please hit like and mark my response as correct if that helps

Bhuvan · an hour ago

@KoyaJ

You are trying to add relationship in cmdb_rel_ci table, check if the user has necessary Create/Update/Delete permissions. If not, create ACLs to allow the operations for the role and it should work.

If this helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan