Close
Thank you for your feedback.

Security jump start - ACL rules

Security jump start - ACL rules

The Security Jump Start (ACL Rules) Plugin is installed automatically on all new instances.

Note:
  • Plugin Required
  • Functionality described here requires the Security Jump Start (ACL Rules) plugin. The plugin is automatically installed for new instances.

These rules were written to provide a jump start on securing many system tables, to make it easier for an organization to more quickly get into production.

This plugin is not intended for existing instances, as it might modify security access to tables that are already in use in a production environment. If an admin is interested in the new ACL rules provided by this plugin, one or more of them may be created manually in an existing instance as specific needs dictate. This list of ACLs may be used as a guideline in that case. Should an admin strongly want this plugin installed on an existing instance, we highly recommend the plugin be tested extensively in a test instance first, to ensure that the rules do not conflict with the operational needs of the organization's current implementation.

The following ACLs are included in this plugin. Click the icon in a header row to sort that column in ascending or descending order. The Operation key is as follows:

  • R=read
  • W=write
  • D=delete
  • C=create
NameOperationDescription
cmdb_ciWCDasset or itil role required to write/create/delete Configuration Item records
cmn_departmentWDuser_admin role required to write/delete Department records
cmn_locationWCuser_admin role required to write/create Location records
core_companyWDuser_admin role required to write/delete Company records
kb_knowledgecreateknowledge role required to created Knowledge records
ldap_ou_configRWCDuser_admin role required to read/write/create/delete LDAP OU Definition records
ldap_server_configRWCDuser_admin role required to read/write/create/delete LDAP Server records
process_guideWCDadmin role required to write/create/delete Process Guide records
process_stepWCDadmin role required to write/create/delete Process Step records
sc_categorycreatecatalog_admin role required to create Service Catalog Category records
sc_categorydeletecatalog_admin role required to delete Service Catalog Category records
sc_categorywritecatalog_admin role required to write to Service Catalog Category records
sc_cat_itemwritecatalog_admin role required to write to Catalog Item records
sc_cat_itemdeletecatalog_admin role required to delete Catalog Item records
sc_cat_itemcreatecatalog_admin role required to create Catalog Item records
sysevent_email_actionreadall users can read Email Notification records (for subscription purposes)
sysevent_registerRWCDadmin role required to read/write/create/delete Event Registry records
sysevent_script_actionRWCDadmin role required to read/write/create/delete Script Action records
syslogRWCDadmin required to read/write/create/delete Log Entry records
sysruleRWCDadmin required to read/write/create/delete Rule records (Email Notifications, Inbound Email Actions, Approval Rules, etc.)
sysrulereadall users can read Email Notification records for (subscription based notifications)
sys_app_applicationWCDadmin required to write/create/delete Application records
sys_app_categoryWCDadmin role required to write/create/delete Application Category records
sys_app_moduleWCDadmin required to write/create/delete Module records
sys_auditRWCDadmin required to read/write/create/delete Audit records
sys_dictionaryRWCpersonalize_dictionary role required to read/write/create Dictionary records
sys_dictionary.*readpersonalize_dictionary role can read Dictionary fields
sys_documentationdeletepersonalize_dictionary role required to delete Field Label records
sys_documentationcreatepersonalize_dictionary role required to create Field Label records
sys_documentationwritepersonalize_dictionary role required to write to Field Label records
sys_gaugeRWCDadmin role required to read/write/create/delete Gauge records
sys_gauge_countRWCDadmin role required to read/write/create/delete Gauge Count records
sys_group_has_rolereaditil role required to see Group Role records
sys_homeWCDitil_admin role required to write/create/delete Welcome Page Section records
sys_installation_exitWCDadmin role required to write/create/delete Installation Exit records
sys_jobWCDadmin role required to write/create/delete Sys Job records
sys_nav_linkWCDadmin role required to write/create/delete Navigation Link records
sys_perspectiveWCDadmin role required to write/create/delete Menu List records
sys_portalRWCDadmin role required to read/write/create/delete Portal records
sys_portal_pageRWCDadmin role required to read/write/create/delete Homepage records
sys_portal_preferencesRWCDadmin role required to read/write/create/delete Portal Preferences records
sys_processorWCadmin role required to write/create Processor records
sys_propertiesWCadmin role required to write/create System Property records
sys_properties_categoryWCDadmin role required to write/create/delete Property Category records
sys_reportdeleteroles that can delete Report records (does not restrict deleting through Report UI)
sys_reportwriteroles that can write to Report records (does not restrict editing through Report UI)
sys_reportreadusers can read their own Report records, those of their groups, and GLOBAL ones (does not affect viewing through Report UI)
sys_reportreadroles that can read Report records (does not restrict viewing through Report UI)
sys_reportrolesreadadmin role required to read Report Roles records
sys_scriptWCDadmin role required to write/create/delete Business Rule records
sys_script_ajaxWCDadmin role required to write/create/delete AJAX Script records
sys_script_clientWCDadmin role required to write/create/delete Client Script records
sys_script_includeWCDadmin role required to write/create/delete Script Include records
sys_security_aclwriteadmin role required to write to Access Control records
sys_security_acl_rolecreateadmin role required to create Access Roles records
sys_security_acl_roledeleteadmin role required to delete Access Roles records
sys_security_acl_rolewriteadmin role required to write to Access Roles records
sys_security_operationdeleteadmin role required to delete Security Operation records
sys_security_operationcreateadmin role required to create Security Operation records
sys_security_operationwriteadmin role required to write to Security Operation records
sys_security_typewriteadmin role required to write to Security Type records
sys_security_typecreateadmin role required to create Security Type records
sys_security_typedeleteadmin role required to delete Security Type records
sys_statuscreateadmin role required to create System Status records
sys_statusdeleteadmin role required to delete System Status records
sys_statuswriteadmin role required to write to System Status records
sys_templatewritetemplate_editor role required to write to Template records
sys_templatecreateemplate_editor role required to create Template records
sys_templatedeletetemplate_editor role required to delete Template records
sys_templatereadtemplate_editor role required to read Template Roles records
sys_ui_actioncreateadmin role required to create UI Action records
sys_ui_actiondeleteadmin role required to delete UI Action records
sys_ui_actionwriteadmin role required to write to UI Action records
sys_ui_action_viewwriteadmin role required to write to UI View Action records
sys_ui_action_viewcreateadmin role required to create UI View Action records
sys_ui_action_viewdeleteadmin role required to delete UI View Action records
sys_ui_policycreateadmin role required to create UI Policy records
sys_ui_policydeleteadmin role required to delete UI Policy records
sys_ui_policywriteadmin role required to write to UI Policy records
sys_ui_policy_actioncreateadmin role required to create UI Policy Action records
sys_ui_policy_actiondeleteadmin role required to delete UI Policy Action records
sys_ui_policy_actionwriteadmin role required to write to UI Policy Action records
sys_ui_scriptwriteadmin role required to write to UI Script records
sys_ui_scriptdeleteadmin role required to delete UI Script records
sys_ui_scriptcreateadmin role required to create UI Script records
sys_userwriteUsers with no role cannot update any user record but their own
sys_user_grmemberdeleteuser_admin role required to delete Group Member records
sys_user_grmemberwriteuser_admin role required to write to Group Member records
sys_user_groupcreateOnly itil and above can create group records
sys_user_groupwriteOnly itil and above can write to group records
sys_user_has_rolereaditil role required to see User Role records
sys_user_rolecreateadmin role required to create Role records
sys_user_roledeleteadmin role required to delete Role records
sys_user_rolewriteadmin role required to write to Role records
sys_user_role_containsreaditil role required to see Contained Role records
sys_user_role_containswriteadmin role required to write to Contained Role records
sys_user_tokenRWCDadmin role required to read/write/create/delete User Token records

Products > ServiceNow Platform > User Administration; Versions > Istanbul