A least privileged user account must have the following permissions:

All Configurations (required to validate the other ACLs)

  • sys_user_has_role

  • security_acl_detail

  • sys_security_operation

Resource Grouping ACLs

  • cmdb_metadata_hosting

  • cmdb_metadata_reference

  • cmdb_metadata_containment

  • sys_dictionary

  • sys_dictionary.*

  • sys_glide_object

  • svc_ci_assoc (only if you are using the association table in any of the group configurations)

  • each table that is in the configuration json (cmdb_ci_vmware_instance for example)

Alerting ACLs:

  • sys_choice

  • sys_choice.*

  • sys_dictionary

  • sys_dictionary.*

  • sys_glide_object

  • each table that is in the configuration json if CI mapping is used (cmdb_ci_vmware_instance for example)

  • One of the following depending on which option is specified in your configuration file:

    • incident (read and write)

    • em_alert (read and write)

    • em_event (read and write)

CMDB Sync ACLs

  • sys_db_object

  • cmdb_reconciliation_definition

  • sys_choice

  • sys_choice.*

  • cmdb_rel_type

  • each table in Synced Resources (read and edit_ci_relations are always required, delete is required if using a configuration which deletes CIs when they are removed from or are Not Existing in VMware Aria Operations )

Role

  • itil

Note:

This is a requirement for getting metadata about the tables, which we need in order to determine data types, allowable columns, etc.