Loading...
Loading...
Activating Firewall Audits and Reporting plugin restricts read access to all cmdb_ci_appl records and records in extending tables such as web servers and DB instances. The root cause of the problem is an ACL on cmdb_ci_appl table. This ACL was added in Firewall Audits and Reporting plugin assuming there will be certain existing ACLs present on the table. But when there are no ACLs present on the table it changes the global access and narrows it down to "sn_disco_firewall.firewall_user" role, which is not intended. Symptoms will include node missing from Dependency Views Maps or Service Maps, CI Relations Formatter and Relationship Editor, unable to click through to referenced CIs in tasks etc. The following extending tables for application CI classes within Application [cmdb_ci_appl], that would be affected by this problem: .NET Application [cmdb_ci_appl_dot_net] AD Domain [cmdb_ci_ad_domain] AD Forest [cmdb_ci_directory_ad_forest] APIGee Service [cmdb_ci_appl_apigee_srv] Active Directory Domain Controller [cmdb_ci_ad_controller] Active Directory Service [cmdb_ci_appl_active_directory] ActiveMatrix Business Works Process [cmdb_ci_appl_tibco_matrix_proc] ActiveMatrix Business Works [cmdb_ci_appl_tibco_matrix] Advanced Queue Queue [cmdb_ci_appl_ora_queue] Agility Process [cmdb_ci_agility_process] Apache Web Server [cmdb_ci_apache_web_server] Application Server Resource [cmdb_ci_application_server_resource] Application Server [cmdb_ci_app_server] BizTalk Orchestration [cmdb_ci_appl_biztalk_orch] BizTalk [cmdb_ci_appl_biztalk] CA Enterprise Communicator [cmdb_ci_appl_ca] CA Identity Manager Provisioning Server [cmdb_ci_appl_ca_id_man] CA Introscope Enterprise Manager [cmdb_ci_appl_ca_ent_man] CA eTrust Directory Server [cmdb_ci_appl_ca_dir_server] Cassandra Instance [cmdb_ci_cassandra_instance] Cisco CallManager [cmdb_ci_appl_cisco_call_man] Cisco Fibre InterConnect [cmdb_ci_appl_cisco_fibre] Citrix Application Icon [cmdb_ci_appl_citrix_app] Citrix Collector [cmdb_ci_appl_citrix_collector] Citrix License server [cmdb_ci_appl_license_server] Citrix XenAPP or Presentation Server [cmdb_ci_appl_citrix_xenapp] Cloud App Server [cmdb_ci_cloud_appserver] Cloud Authentication [cmdb_ci_cloud_authentication] Cloud DataBase [cmdb_ci_cloud_database] Cloud Directory [cmdb_ci_cloud_directory] Cloud Function [cmdb_ci_cloud_function] Cloud Gateway [cmdb_ci_cloud_gateway] Cloud Messaging Service [cmdb_ci_cloud_messaging_service] Cloud Object Storage [cmdb_ci_cloud_object_storage] Cloud WebServer [cmdb_ci_cloud_webserver] Coldfusion Application [cmdb_ci_cf_application] Coldfusion Server [cmdb_ci_coldfusion_server] Composer [cmdb_ci_app_server_composer] Connect-It Service [cmdb_ci_appl_connectit] Control-M [cmdb_ci_appl_controlm] DB Instance Size [cmdb_ci_db_instance_size] DB2 Instance [cmdb_ci_db_db2_instance] Data Power Domain [cmdb_ci_app_server_dp_domain] Data Power [cmdb_ci_app_server_datapower] Database Instance [cmdb_ci_db_instance] Delivery Controler [cmdb_ci_appl_delivery_controler] Directory Server [cmdb_ci_directory_server] Docker Engine [cmdb_ci_docker_engine] Documentum Brava Job Processor [cmdb_ci_appl_doc_brava_proc] Documentum Brava License Server [cmdb_ci_appl_doc_brava_server] Documentum Broker [cmdb_ci_appl_doc_docbroker] Documentum DocBase [cmdb_ci_appl_doc_docbase] Domino [cmdb_ci_app_server_domino] Dynamic CRM Component [cmdb_ci_appl_ms_dynamic_crm] DynamoDB Global Table [cmdb_ci_dynamodb_global_table] DynamoDB Table [cmdb_ci_dynamodb_table] EMS Queue [cmdb_ci_appl_tibco_queue] Email Server [cmdb_ci_email_server] Enterprise Vault [cmdb_ci_email_server_ent_vault] Exchange Client Access Server [cmdb_ci_exchange_cas] Exchange Edge Transport Server [cmdb_ci_exchange_edge_transport_server] Exchange Hub Transport Server [cmdb_ci_exchange_hub_transport_server] Exchange MailBox [cmdb_ci_exchange_mailbox] Exchange Mailbox Server [cmdb_ci_exchange_mailbox_server] Exchange Service Component [cmdb_ci_exchange_service_component] ExchangeBackEndServer [cmdb_ci_exchange_backend] ExchangeFrontEndServer [cmdb_ci_exchange_frontend] ExchangeHub [cmdb_ci_exchange_hub] FTP Server [cmdb_ci_ftp_server] Fast Search [cmdb_ci_appl_fastsearch] Generic Application [cmdb_ci_appl_generic] GlassFish WAR [cmdb_ci_appl_glassfish_war] GlassFish [cmdb_ci_appl_glassfish] Groundwork [cmdb_ci_appl_groundwork] HA Proxy [cmdb_ci_directory_ha] HAProxy Load Balancer [cmdb_ci_lb_haproxy] HBase Instance [cmdb_ci_db_hbase_instance] HP Operations Manager [cmdb_ci_appl_hp_operations] HP Quality Center [cmdb_ci_appl_hp_qc] HP SM Index Server [cmdb_ci_appl_hp_index] HP SM KnowledgeBase [cmdb_ci_appl_hp_sm_kb] HP Service Manager [cmdb_ci_appl_hp_service] HP uCMDB [cmdb_ci_app_server_hp_ucmdb] IBM CICS [cmdb_ci_appl_ibm_cics] IBM CTG [cmdb_ci_appl_ibm_ctg] IBM WMB Http Listener [cmdb_ci_appl_ibm_wmb_listener] IBM WebSphere MQ Queue [cmdb_ci_appl_ibm_wmq_queue] IBM WebSphere MQ [cmdb_ci_appl_ibm_wmq] IBM WebSphere Message Broker [cmdb_ci_appl_ibm_wmb] IBM Websphere [cmdb_ci_app_server_websphere] IIFP [cmdb_ci_directory_iifp] IIS Virtual Directory [cmdb_ci_iisdirectory] IP Server [cmdb_ci_ip_server] ITAM Asset Center [cmdb_ci_appl_itam] Inetinfo service [cmdb_ci_inetinfo] Informix Catalog [cmdb_ci_db_informix_catalog] Informix Instance [cmdb_ci_db_informix_instance] Infrastructure Service [cmdb_ci_infra_service] Inter connect [cmdb_ci_inter_connect] Interconnect Instance [cmdb_ci_interconnect_instance] Iplanet Web Server [cmdb_ci_iplanet_web_server] JBoss [cmdb_ci_app_server_jboss] JES [cmdb_ci_email_server_jes] JavaServer [cmdb_ci_app_server_java] Jboss Fuse [cmdb_ci_appl_jboss_fuse] Jboss module [cmdb_ci_app_server_jb_module] Jrun WAR [cmdb_ci_app_server_jrun_war] Jrun [cmdb_ci_app_server_jrun] KVM [cmdb_ci_kvm] Kafka Broker [cmdb_ci_appl_kafka_broker] Kafka Connect [cmdb_ci_appl_kafka_connect] Kafka Consumer [cmdb_ci_appl_kafka_consumer] Kafka Topic [cmdb_ci_appl_kafka_topic] Kafka Zoo Keeper [cmdb_ci_appl_zoo_keeper] LDAP DB [cmdb_ci_directory_ldap] LDAP Service [cmdb_ci_infra_service_ldap] Load Balancer Application [cmdb_ci_lb_appl] Lotus Domino HTTP Server [cmdb_ci_web_domino] MS SQL DataBase [cmdb_ci_db_mssql_database] MS SQL Server [cmdb_ci_db_mssql_server] MSFT SQL Instance [cmdb_ci_db_mssql_instance] MSMQ [cmdb_ci_appl_msmq] Management Server [cmdb_ci_config_automation_server] Microsoft iis Web Server [cmdb_ci_microsoft_iis_web_server] ModProxy Load Balancer [cmdb_ci_lb_modproxy] Modjk Load Balancer [cmdb_ci_lb_modjk] Mongo Config Server [cmdb_ci_appl_mongo_config_serv] MongoDB Instance [cmdb_ci_db_mongodb_instance] Mongos Server [cmdb_ci_appl_mongos] MySQL Instance [cmdb_ci_db_mysql_instance] MySQLClusterDataNode [cmdb_ci_db_mysql_clusternode] MySQLClusterMGMNode [cmdb_ci_db_mysql_clustermgnode] Nginx Load Balancer [cmdb_ci_lb_nginx] Nginx Web Server [cmdb_ci_nginx_web_server] Nutanix Controller VM [cmdb_ci_nutanix_controller_vm] Operating-system-level Virtualization Engine [cmdb_ci_oslv_engine] Oracle App TNS Service [cmdb_ci_appl_ora_tns] Oracle Concurrent Server [cmdb_ci_appl_ora_conc] Oracle Database Listener [cmdb_ci_db_ora_listener] Oracle Discoverer Engine [cmdb_ci_appl_ora_disc] Oracle Discoverer UI [cmdb_ci_appl_ora_disc_ui] Oracle ESB [cmdb_ci_appl_ora_ebs] Oracle Essbase Server [cmdb_ci_app_server_ora_ess] Oracle Forms Engine [cmdb_ci_appl_ora_forms] Oracle Forms UI [cmdb_ci_appl_ora_forms_ui] Oracle Fulfillment Server [cmdb_ci_appl_ora_fs] Oracle Golden Gate Extract Process [cmdb_ci_appl_ora_gg_extract] Oracle Golden Gate Replicat Process [cmdb_ci_appl_ora_gg_replicat] Oracle Golden Gate [cmdb_ci_appl_oracle_golden_gate] Oracle HTTP Server [cmdb_ci_appl_ora_http] Oracle Instance [cmdb_ci_db_ora_instance] Oracle Metric Client [cmdb_ci_appl_ora_metric_client] Oracle Metric Server [cmdb_ci_appl_ora_metric_svr] Oracle Notification Server [cmdb_ci_appl_ora_notif_svr] Oracle OACORE Server [cmdb_ci_appl_ora_oacore] Oracle OAFM Server [cmdb_ci_appl_ora_oafm] Oracle PDB Instance [cmdb_ci_db_ora_pdb_instance] Oracle Process Manager [cmdb_ci_appl_ora_pm] Oracle Report Server [cmdb_ci_appl_ora_report] Oracle TNS Listener Engine [cmdb_ci_appl_ora_tnslsnr] Oracle iAS Web module [cmdb_ci_app_server_ora_ias_m] Oracle iAS [cmdb_ci_app_server_ora_ias] Parallels [cmdb_ci_vm_parallels] Pending Application [cmdb_ci_appl_pending] Peoplesoft Application Server [cmdb_ci_appl_peoplesoft] Policy Server [cmdb_ci_dir_policy_server] PostgreSQL Instance [cmdb_ci_db_postgresql_instance] Puppet Primary [cmdb_ci_puppet_master] RHV Manager [cmdb_ci_rhv_manager] RabbitMQ Cluster [cmdb_ci_appl_rabbitmq_cluster] RabbitMQ Queue [cmdb_ci_appl_rabbitmq_queue] RabbitMQ [cmdb_ci_appl_rabbitmq] Remedy HSServer [cmdb_ci_app_server_remedy] Rubrik Oracle RAC [cmdb_ci_rubrik_db_ora_rac] SAP ASCS Application [cmdb_ci_appl_sap_ascs] SAP Application Server [cmdb_ci_appl_sap_server] SAP Application [cmdb_ci_appl_sap] SAP BO BOXIScheduleRouter [cmdb_ci_appl_sap_bo_scheduler] SAP Business Objects CMS server [cmdb_ci_appl_sap_bo] SAP Business Objects [cmdb_ci_appl_sap_bus_obj] SAP CI Application [cmdb_ci_appl_sap_ci] SAP DI Application [cmdb_ci_appl_sap_di] SAP ERS Application [cmdb_ci_appl_sap_ers] SAP Hana Db [cmdb_ci_appl_sap_hana_db] SAP JC Application [cmdb_ci_appl_sap_jc] SAP SCS Application [cmdb_ci_appl_sap_scs] SAP System [cmdb_ci_appl_sap_system] SAP System [cmdb_ci_sap_sid] SQL Server Analysis Services [cmdb_ci_db_mssql_analysis] SQL Server Integration Services Job [cmdb_ci_db_mssql_int_job] SQL Server Integration Services [cmdb_ci_db_mssql_integration] SQL Server Reporting Services [cmdb_ci_db_mssql_reporting] Sendmail [cmdb_ci_appl_sendmail] ServiceNow Application Component [cmdb_ci_appl_now_app_comp] ServiceNow Application [cmdb_ci_appl_now_app] ServiceNow Connector [cmdb_ci_appl_now_connector] ServiceNow MID Server [cmdb_ci_appl_now_mid] SharePoint Service [cmdb_ci_appl_sp_service] SharePoint [cmdb_ci_appl_sharepoint] Simulation Inclusion [cmdb_ci_app_simulation_inc] Simulation [cmdb_ci_app_simulation] Site Minder [cmdb_ci_dir_site_minder_server] Sun Directory Proxy Server [cmdb_ci_sun_dir_proxy_server] Sun LDAP Server [cmdb_ci_sun_ldap_dir_server] Sybase Instance [cmdb_ci_db_syb_instance] Tibco Adapter [cmdb_ci_appl_tibco_adapter] Tibco Enterprise Message Service [cmdb_ci_appl_tibco_message] Tibco Hawk [cmdb_ci_appl_tibco_hawk] Tomcat WAR [cmdb_ci_app_server_tomcat_war] Tomcat [cmdb_ci_app_server_tomcat] Tuxedo Portal [cmdb_ci_appl_tuxedo_portal] Tuxedo [cmdb_ci_appl_tuxedo] VMware [cmdb_ci_vm_vmware] VMware vCenter Instance [cmdb_ci_vcenter] Vendavo Application Server [cmdb_ci_app_server_vendavo] Vignette Content Management Server [cmdb_ci_appl_vign_content_svr] Vignette Search Starter [cmdb_ci_appl_vignette_search] Vignette Server [cmdb_ci_appl_vignette_server] Virtual Machine HyperVisor [cmdb_ci_vm] WBEM Service [cmdb_ci_wbem_service] WMB Flow [cmdb_ci_appl_wmb] Web Application [cmdb_ci_web_application] Web Server [cmdb_ci_web_server] Web Service [cmdb_ci_web_service] Web Site [cmdb_ci_web_site] Weblogic JMS Queue [cmdb_ci_appl_ora_jms_queue] Weblogic JMS Server [cmdb_ci_appl_weblogic_jms] Weblogic LB [cmdb_ci_appl_weblogic_lb] Weblogic Module Server [cmdb_ci_appl_weblogicmodule] Weblogic [cmdb_ci_app_server_weblogic] WeblogicModule [cmdb_ci_app_server_wl_module] Webseal [cmdb_ci_app_server_webseal] Websphere EAR [cmdb_ci_app_server_ws_ear] Websphere ODR LB [cmdb_ci_app_server_ws_odr] Websphere Portal [cmdb_ci_appl_websphere_portal] Windows Domain Controller [cmdb_ci_win_domain_controller] Zones [cmdb_ci_vm_zones] epic agent [cmdb_ci_epic_agent] epic cache [cmdb_ci_epic_cache] epicd app server [cmdb_ci_epicd_app_server]
Log into an OOB Quebec instance and impersonate 'itil' Navigate to cmdb_ci_appl.list and notice that 'itil' can see records in this table Un-impersonate, and install affected version of "Firewall Audits and Reporting" plugin After plugin is activated, impersonate 'itil' and navigate to cmdb_ci_appl.list Notice that 'Security constraints prevent access to requested page' for 'itil'
This problem has been Fixed. If you are able to upgrade, review the Fixed In section to determine the latest version with a permanent fix your instance can be upgraded to. However, please note that if you have previously installed the affected version, this ACL will not be deleted during the plugin upgrade process in the updated version(s). This is a deliberate choice, in case the ACL has been edited or utilised. It is therefore recommended to manually delete the ACL, if affected, as this action will not happen during plugin upgrade. Alternatively, you may create a new ACL with "cmdb_read" role or other roles as per your requirement. To fix this issue users can delete the specified ACL to restore the global read access to the table. https://<instancename>.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=151502e66716001022646c706785ef2d.
PRB1511121
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.