DevOps Insights 1.36 application adds ACLs which hide Business Service and Business Application CIs in the CMDB - Known Error

DevOps Insights 1.36 application adds ACLs which hide Business Service and Business Application CIs in the CMDB Description DevOps Insights 1.36 application adds ACLs which hide Business Service and Business Application CIs, from itil, asset, cmdb_read and other roles that should be able to read all CIs.

cmdb_ci_business_app/read /sys_security_acl.do?sys_id=59e8ac3943e91110a2d08ecf5bb8f20c

cmdb_ci_service/read /sys_security_acl.do?sys_id=e8dc2c3d43e91110a2d08ecf5bb8f298

They restrict record level read to only sn_devops.viewer users, to records in that class and all extending CI classes.

When an ACL like this is added, which fails, and there are no other record level ACLs at this table level in the extended table that would pass, the ACL system fails the record ACL and deliberately does not fall back to the existing CMDB ACL set at the cmdb_ci level that would pass.

Steps to Reproduce

On a instance with CMDB and user demo data Install DevOps Insights (1.36) Turn on session debug for security Impersonate a user with itil (e.g. Andrew Och), or create a user with just cmdb_read role, which are roles that should be able to see all CIs. Open list /cmdb_ci_service_list.do You don't see anything listed, even though records exist. You will see the failing ACL in the security session debug from simply opening a list of Services in the CMDB:

access denied 06:13:22 AM.314 TIME = 0:00:00.000 PATH = record/cmdb_ci_service/read CONTEXT = null RC = false RULE = not evaluated access denied not evaluated not evaluated record/cmdb_ci_service/read App: App:DevOps Insights

That's this ACL: /sys_security_acl.do?sys_id=e8dc2c3d43e91110a2d08ecf5bb8f298 role: sn_devops.viewer

The presence of a single ACL at the cmdb_ci_service level of the extended table, that fails, with no other record level ACL that passes, means the ACL system does not fall back to the existing higher level record ACLs that would normally allow an itil user (or cmdb_read user) to real any CI in the CMDB. This is the expected behaviour of ACLs. The addition of this new ACL, without also cmdb_read role, is the problem.

You can do the same for the cmdb_ci_business_app table.

Workaround This problem is currently under review and targeted to be fixed in a future release. Subscribe to this Known Error article to receive notifications when more information will be available.