Restricted read access to cmdb_ci_appl and cmdb_ci_group tables after installing Certificate Management pluginDescription Activating Certificate Management Plugin (sn_disco_certmgmt) restricting read access to all cmdb_ci_appl and cmdb_ci_group records.The root cause of the problem is the ACLs on cmdb_ci_appl and cmdb_ci_group table. These ACLs were added in Certificate Management plugin assuming there will be other ACLs present on the table which will restrict user access while creating certificate tasks. But when there are no ACLs present on the table it changes the global access and narrows it down to "sn_disco_certmgmt.pki_user" role, which is not intended. Steps to Reproduce 1. Log into an OOB Orlando instance and impersonate 'itil' 2. Navigate to cmdb_ci_appl or cmdb_ci_group list and notice that 'itil' can see records in this table 3. Un-impersonate, and as maint, navigate to sys_plugins list 4. Search for Certificate Inventory and Management (sn_disco_certmgmt) plugin and activate it. 5. After plugin is activated, impersonate 'itil' and navigate to cmdb_ci_appl or cmdb_ci_group list 6. Notice that 'Security constraints prevent access to requested page' for 'itil' Workaround The issue will be fixed in PRB1430513 in Certificate Management Plugin V4. To fix this issue users can delete the specified ACLs to restore the global read access to the tables. 1. Delete https://[instance-name].service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=c34f354a3b7733007bfecedf34efc4d0 2. Delete https://[instance-name].service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=c7ae390a3b7733007bfecedf34efc4b1 For Certificate Management Plugin V4 and higher, If there are any existing ACLs on the tables cmdb_ci_appl and cmdb_ci_group the user has to add "sn_disco_certmgmt.pki_user" role to the existing ACLs to give proper read access while creating the certificate tasks.