ACL on cmdb_ci_appl introduced in Certificate Management plugin restricting read access for some users to all application CIs in the CMDBDescriptionActivating Certificate Management Plugin (sn_disco_certmgmt) restricts read access to all cmdb_ci_appl and cmdb_ci_group records and records in extending tables such as web servers and DB instances. The root cause of the problem is the ACLs on cmdb_ci_appl and cmdb_ci_group table. These ACLs were added in Certificate Management plugin assuming there will be other ACLs present on the table which will restrict user access while creating certificate tasks. But when there are no ACLs present on the table it changes the global access and narrows it down to "sn_disco_certmgmt.pki_user" role, which is not intended. Symptoms will include node missing from Dependency Views Maps or Service Maps, CI Relations Formatter and Relationship Editor, unable to click through to referenced CIs in tasks etc. The following extending tables for application CI classes within Application [cmdb_ci_appl], that would be affected by this problem: .NET Application [cmdb_ci_appl_dot_net]AD Domain [cmdb_ci_ad_domain]AD Forest [cmdb_ci_directory_ad_forest]APIGee Service [cmdb_ci_appl_apigee_srv]Active Directory Domain Controller [cmdb_ci_ad_controller]Active Directory Service [cmdb_ci_appl_active_directory]ActiveMatrix Business Works Process [cmdb_ci_appl_tibco_matrix_proc]ActiveMatrix Business Works [cmdb_ci_appl_tibco_matrix]Advanced Queue Queue [cmdb_ci_appl_ora_queue]Agility Process [cmdb_ci_agility_process]Apache Web Server [cmdb_ci_apache_web_server]Application Server Resource [cmdb_ci_application_server_resource]Application Server [cmdb_ci_app_server]BizTalk Orchestration [cmdb_ci_appl_biztalk_orch]BizTalk [cmdb_ci_appl_biztalk]CA Enterprise Communicator [cmdb_ci_appl_ca]CA Identity Manager Provisioning Server [cmdb_ci_appl_ca_id_man]CA Introscope Enterprise Manager [cmdb_ci_appl_ca_ent_man]CA eTrust Directory Server [cmdb_ci_appl_ca_dir_server]Cassandra Instance [cmdb_ci_cassandra_instance]Cisco CallManager [cmdb_ci_appl_cisco_call_man]Cisco Fibre InterConnect [cmdb_ci_appl_cisco_fibre]Citrix Application Icon [cmdb_ci_appl_citrix_app]Citrix Collector [cmdb_ci_appl_citrix_collector]Citrix License server [cmdb_ci_appl_license_server]Citrix XenAPP or Presentation Server [cmdb_ci_appl_citrix_xenapp]Cloud App Server [cmdb_ci_cloud_appserver]Cloud Authentication [cmdb_ci_cloud_authentication]Cloud DataBase [cmdb_ci_cloud_database]Cloud Directory [cmdb_ci_cloud_directory]Cloud Function [cmdb_ci_cloud_function]Cloud Gateway [cmdb_ci_cloud_gateway]Cloud Messaging Service [cmdb_ci_cloud_messaging_service]Cloud Object Storage [cmdb_ci_cloud_object_storage]Cloud WebServer [cmdb_ci_cloud_webserver]Coldfusion Application [cmdb_ci_cf_application]Coldfusion Server [cmdb_ci_coldfusion_server]Composer [cmdb_ci_app_server_composer]Connect-It Service [cmdb_ci_appl_connectit]Control-M [cmdb_ci_appl_controlm]DB Instance Size [cmdb_ci_db_instance_size]DB2 Instance [cmdb_ci_db_db2_instance]Data Power Domain [cmdb_ci_app_server_dp_domain]Data Power [cmdb_ci_app_server_datapower]Database Instance [cmdb_ci_db_instance]Delivery Controler [cmdb_ci_appl_delivery_controler]Directory Server [cmdb_ci_directory_server]Docker Engine [cmdb_ci_docker_engine]Documentum Brava Job Processor [cmdb_ci_appl_doc_brava_proc]Documentum Brava License Server [cmdb_ci_appl_doc_brava_server]Documentum Broker [cmdb_ci_appl_doc_docbroker]Documentum DocBase [cmdb_ci_appl_doc_docbase]Domino [cmdb_ci_app_server_domino]Dynamic CRM Component [cmdb_ci_appl_ms_dynamic_crm]DynamoDB Global Table [cmdb_ci_dynamodb_global_table]DynamoDB Table [cmdb_ci_dynamodb_table]EMS Queue [cmdb_ci_appl_tibco_queue]Email Server [cmdb_ci_email_server]Enterprise Vault [cmdb_ci_email_server_ent_vault]Exchange Client Access Server [cmdb_ci_exchange_cas]Exchange Edge Transport Server [cmdb_ci_exchange_edge_transport_server]Exchange Hub Transport Server [cmdb_ci_exchange_hub_transport_server]Exchange MailBox [cmdb_ci_exchange_mailbox]Exchange Mailbox Server [cmdb_ci_exchange_mailbox_server]Exchange Service Component [cmdb_ci_exchange_service_component]ExchangeBackEndServer [cmdb_ci_exchange_backend]ExchangeFrontEndServer [cmdb_ci_exchange_frontend]ExchangeHub [cmdb_ci_exchange_hub]FTP Server [cmdb_ci_ftp_server]Fast Search [cmdb_ci_appl_fastsearch]Generic Application [cmdb_ci_appl_generic]GlassFish WAR [cmdb_ci_appl_glassfish_war]GlassFish [cmdb_ci_appl_glassfish]Groundwork [cmdb_ci_appl_groundwork]HA Proxy [cmdb_ci_directory_ha]HAProxy Load Balancer [cmdb_ci_lb_haproxy]HBase Instance [cmdb_ci_db_hbase_instance]HP Operations Manager [cmdb_ci_appl_hp_operations]HP Quality Center [cmdb_ci_appl_hp_qc]HP SM Index Server [cmdb_ci_appl_hp_index]HP SM KnowledgeBase [cmdb_ci_appl_hp_sm_kb]HP Service Manager [cmdb_ci_appl_hp_service]HP uCMDB [cmdb_ci_app_server_hp_ucmdb]IBM CICS [cmdb_ci_appl_ibm_cics]IBM CTG [cmdb_ci_appl_ibm_ctg]IBM WMB Http Listener [cmdb_ci_appl_ibm_wmb_listener]IBM WebSphere MQ Queue [cmdb_ci_appl_ibm_wmq_queue]IBM WebSphere MQ [cmdb_ci_appl_ibm_wmq]IBM WebSphere Message Broker [cmdb_ci_appl_ibm_wmb]IBM Websphere [cmdb_ci_app_server_websphere]IIFP [cmdb_ci_directory_iifp]IIS Virtual Directory [cmdb_ci_iisdirectory]IP Server [cmdb_ci_ip_server]ITAM Asset Center [cmdb_ci_appl_itam]Inetinfo service [cmdb_ci_inetinfo]Informix Catalog [cmdb_ci_db_informix_catalog]Informix Instance [cmdb_ci_db_informix_instance]Infrastructure Service [cmdb_ci_infra_service]Inter connect [cmdb_ci_inter_connect]Interconnect Instance [cmdb_ci_interconnect_instance]Iplanet Web Server [cmdb_ci_iplanet_web_server]JBoss [cmdb_ci_app_server_jboss]JES [cmdb_ci_email_server_jes]JavaServer [cmdb_ci_app_server_java]Jboss Fuse [cmdb_ci_appl_jboss_fuse]Jboss module [cmdb_ci_app_server_jb_module]Jrun WAR [cmdb_ci_app_server_jrun_war]Jrun [cmdb_ci_app_server_jrun]KVM [cmdb_ci_kvm]Kafka Broker [cmdb_ci_appl_kafka_broker]Kafka Connect [cmdb_ci_appl_kafka_connect]Kafka Consumer [cmdb_ci_appl_kafka_consumer]Kafka Topic [cmdb_ci_appl_kafka_topic]Kafka Zoo Keeper [cmdb_ci_appl_zoo_keeper]LDAP DB [cmdb_ci_directory_ldap]LDAP Service [cmdb_ci_infra_service_ldap]Load Balancer Application [cmdb_ci_lb_appl]Lotus Domino HTTP Server [cmdb_ci_web_domino]MS SQL DataBase [cmdb_ci_db_mssql_database]MS SQL Server [cmdb_ci_db_mssql_server]MSFT SQL Instance [cmdb_ci_db_mssql_instance]MSMQ [cmdb_ci_appl_msmq]Management Server [cmdb_ci_config_automation_server]Microsoft iis Web Server [cmdb_ci_microsoft_iis_web_server]ModProxy Load Balancer [cmdb_ci_lb_modproxy]Modjk Load Balancer [cmdb_ci_lb_modjk]Mongo Config Server [cmdb_ci_appl_mongo_config_serv]MongoDB Instance [cmdb_ci_db_mongodb_instance]Mongos Server [cmdb_ci_appl_mongos]MySQL Instance [cmdb_ci_db_mysql_instance]MySQLClusterDataNode [cmdb_ci_db_mysql_clusternode]MySQLClusterMGMNode [cmdb_ci_db_mysql_clustermgnode]Nginx Load Balancer [cmdb_ci_lb_nginx]Nginx Web Server [cmdb_ci_nginx_web_server]Nutanix Controller VM [cmdb_ci_nutanix_controller_vm]Operating-system-level Virtualization Engine [cmdb_ci_oslv_engine]Oracle App TNS Service [cmdb_ci_appl_ora_tns]Oracle Concurrent Server [cmdb_ci_appl_ora_conc]Oracle Database Listener [cmdb_ci_db_ora_listener]Oracle Discoverer Engine [cmdb_ci_appl_ora_disc]Oracle Discoverer UI [cmdb_ci_appl_ora_disc_ui]Oracle ESB [cmdb_ci_appl_ora_ebs]Oracle Essbase Server [cmdb_ci_app_server_ora_ess]Oracle Forms Engine [cmdb_ci_appl_ora_forms]Oracle Forms UI [cmdb_ci_appl_ora_forms_ui]Oracle Fulfillment Server [cmdb_ci_appl_ora_fs]Oracle Golden Gate Extract Process [cmdb_ci_appl_ora_gg_extract]Oracle Golden Gate Replicat Process [cmdb_ci_appl_ora_gg_replicat]Oracle Golden Gate [cmdb_ci_appl_oracle_golden_gate]Oracle HTTP Server [cmdb_ci_appl_ora_http]Oracle Instance [cmdb_ci_db_ora_instance]Oracle Metric Client [cmdb_ci_appl_ora_metric_client]Oracle Metric Server [cmdb_ci_appl_ora_metric_svr]Oracle Notification Server [cmdb_ci_appl_ora_notif_svr]Oracle OACORE Server [cmdb_ci_appl_ora_oacore]Oracle OAFM Server [cmdb_ci_appl_ora_oafm]Oracle PDB Instance [cmdb_ci_db_ora_pdb_instance]Oracle Process Manager [cmdb_ci_appl_ora_pm]Oracle Report Server [cmdb_ci_appl_ora_report]Oracle TNS Listener Engine [cmdb_ci_appl_ora_tnslsnr]Oracle iAS Web module [cmdb_ci_app_server_ora_ias_m]Oracle iAS [cmdb_ci_app_server_ora_ias]Parallels [cmdb_ci_vm_parallels]Pending Application [cmdb_ci_appl_pending]Peoplesoft Application Server [cmdb_ci_appl_peoplesoft]Policy Server [cmdb_ci_dir_policy_server]PostgreSQL Instance [cmdb_ci_db_postgresql_instance]Puppet Primary [cmdb_ci_puppet_master]RHV Manager [cmdb_ci_rhv_manager]RabbitMQ Cluster [cmdb_ci_appl_rabbitmq_cluster]RabbitMQ Queue [cmdb_ci_appl_rabbitmq_queue]RabbitMQ [cmdb_ci_appl_rabbitmq]Remedy HSServer [cmdb_ci_app_server_remedy]Rubrik Oracle RAC [cmdb_ci_rubrik_db_ora_rac]SAP ASCS Application [cmdb_ci_appl_sap_ascs]SAP Application Server [cmdb_ci_appl_sap_server]SAP Application [cmdb_ci_appl_sap]SAP BO BOXIScheduleRouter [cmdb_ci_appl_sap_bo_scheduler]SAP Business Objects CMS server [cmdb_ci_appl_sap_bo]SAP Business Objects [cmdb_ci_appl_sap_bus_obj]SAP CI Application [cmdb_ci_appl_sap_ci]SAP DI Application [cmdb_ci_appl_sap_di]SAP ERS Application [cmdb_ci_appl_sap_ers]SAP Hana Db [cmdb_ci_appl_sap_hana_db]SAP JC Application [cmdb_ci_appl_sap_jc]SAP SCS Application [cmdb_ci_appl_sap_scs]SAP System [cmdb_ci_appl_sap_system]SAP System [cmdb_ci_sap_sid]SQL Server Analysis Services [cmdb_ci_db_mssql_analysis]SQL Server Integration Services Job [cmdb_ci_db_mssql_int_job]SQL Server Integration Services [cmdb_ci_db_mssql_integration]SQL Server Reporting Services [cmdb_ci_db_mssql_reporting]Sendmail [cmdb_ci_appl_sendmail]ServiceNow Application Component [cmdb_ci_appl_now_app_comp]ServiceNow Application [cmdb_ci_appl_now_app]ServiceNow Connector [cmdb_ci_appl_now_connector]ServiceNow MID Server [cmdb_ci_appl_now_mid]SharePoint Service [cmdb_ci_appl_sp_service]SharePoint [cmdb_ci_appl_sharepoint]Simulation Inclusion [cmdb_ci_app_simulation_inc]Simulation [cmdb_ci_app_simulation]Site Minder [cmdb_ci_dir_site_minder_server]Sun Directory Proxy Server [cmdb_ci_sun_dir_proxy_server]Sun LDAP Server [cmdb_ci_sun_ldap_dir_server]Sybase Instance [cmdb_ci_db_syb_instance]Tibco Adapter [cmdb_ci_appl_tibco_adapter]Tibco Enterprise Message Service [cmdb_ci_appl_tibco_message]Tibco Hawk [cmdb_ci_appl_tibco_hawk]Tomcat WAR [cmdb_ci_app_server_tomcat_war]Tomcat [cmdb_ci_app_server_tomcat]Tuxedo Portal [cmdb_ci_appl_tuxedo_portal]Tuxedo [cmdb_ci_appl_tuxedo]VMware [cmdb_ci_vm_vmware]VMware vCenter Instance [cmdb_ci_vcenter]Vendavo Application Server [cmdb_ci_app_server_vendavo]Vignette Content Management Server [cmdb_ci_appl_vign_content_svr]Vignette Search Starter [cmdb_ci_appl_vignette_search]Vignette Server [cmdb_ci_appl_vignette_server]Virtual Machine HyperVisor [cmdb_ci_vm]WBEM Service [cmdb_ci_wbem_service]WMB Flow [cmdb_ci_appl_wmb]Web Application [cmdb_ci_web_application]Web Server [cmdb_ci_web_server]Web Service [cmdb_ci_web_service]Web Site [cmdb_ci_web_site]Weblogic JMS Queue [cmdb_ci_appl_ora_jms_queue]Weblogic JMS Server [cmdb_ci_appl_weblogic_jms]Weblogic LB [cmdb_ci_appl_weblogic_lb]Weblogic Module Server [cmdb_ci_appl_weblogicmodule]Weblogic [cmdb_ci_app_server_weblogic]WeblogicModule [cmdb_ci_app_server_wl_module]Webseal [cmdb_ci_app_server_webseal]Websphere EAR [cmdb_ci_app_server_ws_ear]Websphere ODR LB [cmdb_ci_app_server_ws_odr]Websphere Portal [cmdb_ci_appl_websphere_portal]Windows Domain Controller [cmdb_ci_win_domain_controller]Zones [cmdb_ci_vm_zones]epic agent [cmdb_ci_epic_agent]epic cache [cmdb_ci_epic_cache]epicd app server [cmdb_ci_epicd_app_server]Steps to Reproduce Log into an OOB Orlando instance and impersonate 'itil'Navigate to cmdb_ci_appl.list and notice that 'itil' can see records in this tableUn-impersonate, and as maint, navigate to sys_plugins.listSearch for Certificate Inventory and Management (sn_disco_certmgmt) plugin and activate it.After plugin is activated, impersonate 'itil' and navigate to cmdb_ci_appl.listNotice that 'Security constraints prevent access to requested page' for 'itil' This can also be reproduced in Quebec with Certificate Inventory and Management V3 (1.2.2), and other roles such as cmdb_read or asset as well.WorkaroundThis problem has been fixed. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix. The fix is in the Certificate Management V4 store app, aka 202107. Check the Store for this release in mid-2021. (note: v1.2.2 is V3 from mid-2020 and does not contain the fix) Workaround: To fix this issue users can delete the specified ACLs to restore the global read access to the tables. Delete https://[instance-name].service-now.com/sys_security_acl.do?sys_id=c34f354a3b7733007bfecedf34efc4d0Delete https://[instance-name].service-now.com/sys_security_acl.do?sys_id=c7ae390a3b7733007bfecedf34efc4b1 For Certificate Management Plugin V4 and higher, If there are any existing ACLs on the tables cmdb_ci_appl and cmdb_ci_group the user has to add "sn_disco_certmgmt.pki_user" role to the existing ACLs to give proper read access while creating the certificate tasks. Related Problem: PRB1430513