A least privileged user account must have the following permissions:
All Configurations (required to validate the other ACLs)
- sys_user_has_role
- security_acl_detail
- sys_security_operation
Resource Grouping ACLs
- cmdb_metadata_hosting
- cmdb_metadata_reference
- cmdb_metadata_containment
- sys_dictionary
- sys_dictionary.*
- sys_glide_object
- svc_ci_assoc (only if you are using the association table in any of the group configurations)
- each table that is in the configuration json (
cmdb_ci_vmware_instancefor example)
Alerting ACLs:
- sys_choice
- sys_choice.*
- sys_dictionary
- sys_dictionary.*
- sys_glide_object
- each table that is in the configuration json if CI mapping is used (
cmdb_ci_vmware_instancefor example) - One of the following depending on which option is specified in your configuration file:
- incident (
readandwrite) - em_alert (
readandwrite) - em_event (
readandwrite)
- incident (
CMDB Sync ACLs
- sys_db_object
- cmdb_reconciliation_definition
- sys_choice
- sys_choice.*
- cmdb_rel_type
- each table in Synced Resources (
readandedit_ci_relationsare always required,deleteis required if using a configuration which deletes CIs when they are removed from or are Not Existing in vROps )
Role
-
itil
Note: This is a requirement for getting metadata about the tables, which we need in order to determine data types, allowable columns, etc.
