'Orchestration Virtualization' plugin installs a read ACL on cmdb_ci_vm_object which does not contain cmdb_read


Description

Users are no longer able to access the record in cmdb_ci_vm_instance after the activation of plugin Orchestration Virtualization (com.snc.runbook_automation.virtualization)

cmdb_read role is MISSING from the newly added list. This role was added in Madrid to restrict access to Madrid. Due to the newly introduced ACL on cmdb_ci_vm_object, the ACLs on parent table (which DO contain cmdb_read) are not checked.

Steps to Reproduce

  1. Install the plugin 'com.snc.pa.cmp' (Performance Analytics - Content Pack - Cloud Management)
  2. This activates Orchestration Virtualization (com.snc.runbook_automation.virtualization) as a pre-requisite
  3. This plugin installed the below ACL.
    • sys_security_acl_4d99fb5b37063000f5bf1f23dfbe5d31.xml
  4. The ACL has sys_security_acl_role records for the below
    • cloud_user
    • itil
    • ecmdb_admin
    • asset
    • cloud_admin

Workaround

This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.


Related Problem: PRB1386756