Foundation Data & Integrations
Configuration Management Datab...
CMDB Permissions & Roles
9 min
cmdb specific roles role name description cmdb viewer this is the base role for the cmdb table this only provides the ability to read the cmdb and a base level amount of information cmdb manager this role provides an expanded set of privileges for the cmdb application and associated tables cmdb administrator this is the highest privileged role for the cmdb application and associated tables and provides the ability to edit properties and delete records how cmdb application security works the cmdb application is made up of numerous tables, but the majority of them are just a way of logically separating data as a result, the security is broken up into two sections, depending on the actual configuration items and the models it should be noted that it was decided that the configuration management database had its own roles, to ensure as more and more business units need to track them, it's not necessarily owned by one business unit, as their role is the role that has permission to update them tables extended from cmdb permission type security model why was it set up like this? create configuration items only users with the cmdb manager role can create configuration items this was set up as not everyone who can see configuration items should be also allowed to create them this is to avoid users creating duplicates or creating unnecessary configuration items read configuration items users require the cmdb viewer role to read configuration items it made sense to have a role specific to reading configuration items, as some organisations may decide everyone should be able to see them, whilst others only want certain users to be able to do so as a result, having a role specific for this purpose made sense update configuration items only users with the cmdb manager role can update configuration items allowing only cmdb managers to update configuration items ensures that users that make changes or otherwise can make changes, whilst being able to view it does not allow you to update it at random delete configuration items only users with the cmdb administrator role or administrator role can delete configuration items the reason why the deletion is only allocated to administrators is due to the impact that deleting a configuration item can have on data integrity tables extended from cmdb model permission type security model why was it set up like this? create model only users with the cmdb manager role can create model this was set up as not everyone who can see model should be also allowed to create them this is to avoid users creating duplicates or creating unnecessary model read model users require the cmdb viewer role to read models it made sense to have a role specific to reading models, as some organisations may decide everyone should be able to see them, whilst others only want certain users to be able to do so as a result, having a role specific for this purpose made sense update model only users with the cmdb manager role can update model allowing only cmdb managers to update models ensures that users that make changes or otherwise can make changes, whilst being able to view it does not allow you to update it at random delete model only users with the cmdb administrator role or administrator role can delete model the reason why the deletion is only allocated to administrators is due to the impact that deleting a models can have on data integrity recommended role allocation before allocating roles, remember to see what roles already include what roles automatically, as to not double up when managing the configuration management database, there are essentially four main "personas" that align with various processes therefore this section details the four main personas and what makes sense for their role allocation naturally, this is the lowest level of security for each and can be changed, but these are what we recommend for the purpose of these examples, it will largely focus on itsm related personas, but naturally replacing the itsm roles with another role is possible configuration management database manager description these are the individuals who manage their organisation's cmdb they are the ones responsible on maintaining data integrity, as well as ensuring that all data sources are correct and aligned roles recommended platform selfservice platform agent itsm agent cmdb viewer cmdb manager cmdb administrator knowledge editor it service desk agent (level 2/3 support) description these are the individuals who work within the it department and often complete the changes, investigate problems, as well as help in other more complex tasks in addition to this, it is their responsibility to update the configuration item's information once they have completed changes against them roles recommended platform agent platform selfservice cmdb manager cmdb viewer itsm agent level 1 support agent description these users are the ones who often triage cases and are the first point of contact for any it issues within the organisation however they never complete changes themselves and often only need to view configuration items, as opposed to edit them roles recommended platform selfservice platform agent itsm agent cmdb viewer any other user in the organisation description these are the users who are not a part of any service desk and don't complete any work within the it department they are a part of the organisation, but need to be able to raise it issues, as well as view it issues it does not make sense for them to be able to see configuration items, as they won't understand the different between them roles recommended platform selfservice