A least privileged user account must have the following permissions:

All Configurations (required to validate the other ACLs)

  • sys_user_has_role
  • security_acl_detail
  • sys_security_operation

Resource Grouping ACLs

  • cmdb_metadata_hosting
  • cmdb_metadata_reference
  • cmdb_metadata_containment
  • sys_dictionary
  • sys_dictionary.*
  • sys_glide_object
  • svc_ci_assoc (only if you are using the association table in any of the group configurations)
  • each table that is in the configuration json (cmdb_ci_vmware_instance for example)

Alerting ACLs:

  • sys_choice
  • sys_choice.*
  • sys_dictionary
  • sys_dictionary.*
  • sys_glide_object
  • each table that is in the configuration json if CI mapping is used (cmdb_ci_vmware_instance for example)
  • One of the following depending on which option is specified in your configuration file:
    • incident (read and write)
    • em_alert (read and write)
    • em_event (read and write)


  • sys_db_object
  • cmdb_reconciliation_definition
  • sys_choice
  • sys_choice.*
  • cmdb_rel_type
  • each table in Synced Resources (read and edit_ci_relations are always required, delete is required if using a configuration which deletes CIs when they are removed from or are Not Existing in vROps )


  • itil

Note: This is a requirement for getting metadata about the tables, which we need in order to determine data types, allowable columns, etc.