A least privileged user account must have the following permissions:

Resource Grouping ACLs

  • cmdb_metadata_hosting
  • cmdb_metadata_reference
  • cmdb_metadata_containment
  • sys_dictionary
  • each table that is in the configuration json (cmdb_ci_vmware_instance for example)

If the alert sync is being used, the following ACLs are also needed:

  • incident
  • sys_choice


  • itil

Note: This is a requirement for getting metadata about the tables, which we need in order to determine data types, allowable columns, etc.