Security jump start - ACL rules

The Security Jump Start (ACL Rules) Plugin is installed automatically on all new instances.

Note:
  • Plugin Required
  • Functionality described here requires the Security Jump Start (ACL Rules) plugin. The plugin is automatically installed for new instances.

These rules were written to provide a jump start on securing many system tables, to make it easier for an organization to more quickly get into production.

This plugin is not intended for existing instances, as it might modify security access to tables that are already in use in a production environment. If an admin is interested in the new ACL rules provided by this plugin, one or more of them may be created manually in an existing instance as specific needs dictate. This list of ACLs may be used as a guideline in that case. Should an admin strongly want this plugin installed on an existing instance, we highly recommend the plugin be tested extensively in a test instance first, to ensure that the rules do not conflict with the operational needs of the organization's current implementation.

The following ACLs are included in this plugin. Click the icon in a header row to sort that column in ascending or descending order. The Operation key is as follows:
  • R=read
  • W=write
  • D=delete
  • C=create
Name Operation Description
cmdb_ci WCD asset or itil role required to write/create/delete Configuration Item records
cmn_department WD user_admin role required to write/delete Department records
cmn_location WC user_admin role required to write/create Location records
core_company WD user_admin role required to write/delete Company records
kb_knowledge create knowledge role required to created Knowledge records
ldap_ou_config RWCD user_admin role required to read/write/create/delete LDAP OU Definition records
ldap_server_config RWCD user_admin role required to read/write/create/delete LDAP Server records
process_guide WCD admin role required to write/create/delete Process Guide records
process_step WCD admin role required to write/create/delete Process Step records
sc_category create catalog_admin role required to create Service Catalog Category records
sc_category delete catalog_admin role required to delete Service Catalog Category records
sc_category write catalog_admin role required to write to Service Catalog Category records
sc_cat_item write catalog_admin role required to write to Catalog Item records
sc_cat_item delete catalog_admin role required to delete Catalog Item records
sc_cat_item create catalog_admin role required to create Catalog Item records
sysevent_email_action read all users can read Email Notification records (for subscription purposes)
sysevent_register RWCD admin role required to read/write/create/delete Event Registry records
sysevent_script_action RWCD admin role required to read/write/create/delete Script Action records
syslog RWCD admin required to read/write/create/delete Log Entry records
sysrule RWCD admin required to read/write/create/delete Rule records (Email Notifications, Inbound Email Actions, Approval Rules, etc.)
sysrule read all users can read Email Notification records for (subscription based notifications)
sys_app_application WCD admin required to write/create/delete Application records
sys_app_category WCD admin role required to write/create/delete Application Category records
sys_app_module WCD admin required to write/create/delete Module records
sys_audit RWCD admin required to read/write/create/delete Audit records
sys_dictionary RWC personalize_dictionary role required to read/write/create Dictionary records
sys_dictionary.* read personalize_dictionary role can read Dictionary fields
sys_documentation delete personalize_dictionary role required to delete Field Label records
sys_documentation create personalize_dictionary role required to create Field Label records
sys_documentation write personalize_dictionary role required to write to Field Label records
sys_gauge RWCD admin role required to read/write/create/delete Gauge records
sys_gauge_count RWCD admin role required to read/write/create/delete Gauge Count records
sys_group_has_role read itil role required to see Group Role records
sys_home WCD itil_admin role required to write/create/delete Welcome Page Section records
sys_installation_exit WCD admin role required to write/create/delete Installation Exit records
sys_job WCD admin role required to write/create/delete Sys Job records
sys_nav_link WCD admin role required to write/create/delete Navigation Link records
sys_perspective WCD admin role required to write/create/delete Menu List records
sys_portal RWCD admin role required to read/write/create/delete Portal records
sys_portal_page RWCD admin role required to read/write/create/delete Homepage records
sys_portal_preferences RWCD admin role required to read/write/create/delete Portal Preferences records
sys_processor WC admin role required to write/create Processor records
sys_properties WC admin role required to write/create System Property records
sys_properties_category WCD admin role required to write/create/delete Property Category records
sys_report delete roles that can delete Report records (does not restrict deleting through Report UI)
sys_report write roles that can write to Report records (does not restrict editing through Report UI)
sys_report read users can read their own Report records, those of their groups, and GLOBAL ones (does not affect viewing through Report UI)
sys_report read roles that can read Report records (does not restrict viewing through Report UI)
sys_reportroles read admin role required to read Report Roles records
sys_script WCD admin role required to write/create/delete Business Rule records
sys_script_ajax WCD admin role required to write/create/delete AJAX Script records
sys_script_client WCD admin role required to write/create/delete Client Script records
sys_script_include WCD admin role required to write/create/delete Script Include records
sys_security_acl write admin role required to write to Access Control records
sys_security_acl_role create admin role required to create Access Roles records
sys_security_acl_role delete admin role required to delete Access Roles records
sys_security_acl_role write admin role required to write to Access Roles records
sys_security_operation delete admin role required to delete Security Operation records
sys_security_operation create admin role required to create Security Operation records
sys_security_operation write admin role required to write to Security Operation records
sys_security_type write admin role required to write to Security Type records
sys_security_type create admin role required to create Security Type records
sys_security_type delete admin role required to delete Security Type records
sys_status create admin role required to create System Status records
sys_status delete admin role required to delete System Status records
sys_status write admin role required to write to System Status records
sys_template write template_editor role required to write to Template records
sys_template create emplate_editor role required to create Template records
sys_template delete template_editor role required to delete Template records
sys_template read template_editor role required to read Template Roles records
sys_ui_action create admin role required to create UI Action records
sys_ui_action delete admin role required to delete UI Action records
sys_ui_action write admin role required to write to UI Action records
sys_ui_action_view write admin role required to write to UI View Action records
sys_ui_action_view create admin role required to create UI View Action records
sys_ui_action_view delete admin role required to delete UI View Action records
sys_ui_policy create admin role required to create UI Policy records
sys_ui_policy delete admin role required to delete UI Policy records
sys_ui_policy write admin role required to write to UI Policy records
sys_ui_policy_action create admin role required to create UI Policy Action records
sys_ui_policy_action delete admin role required to delete UI Policy Action records
sys_ui_policy_action write admin role required to write to UI Policy Action records
sys_ui_script write admin role required to write to UI Script records
sys_ui_script delete admin role required to delete UI Script records
sys_ui_script create admin role required to create UI Script records
sys_user write Users with no role cannot update any user record but their own
sys_user_grmember delete user_admin role required to delete Group Member records
sys_user_grmember write user_admin role required to write to Group Member records
sys_user_group create Only itil and above can create group records
sys_user_group write Only itil and above can write to group records
sys_user_has_role read itil role required to see User Role records
sys_user_role create admin role required to create Role records
sys_user_role delete admin role required to delete Role records
sys_user_role write admin role required to write to Role records
sys_user_role_contains read itil role required to see Contained Role records
sys_user_role_contains write admin role required to write to Contained Role records
sys_user_token RWCD admin role required to read/write/create/delete User Token records