When a Service Portal user’s role includes the permissions Request Service Change and Show All Organization Services you have created a situation where the user can request changes to VMs for which they have no ownership. This includes the ability to decommission VMs automatically, depending on the particulars of your workflow configuration.

To avoid this, add a conditional step to the approval workflow for change requests, checking for ownership, and requiring approval from the primary owner where no ownership exists. Follow the steps below to add this configuration to an existing approval workflow.

  1. From the Configuration menu, choose Service Request Configuration.
  2. Switch to the Approval Workflow tab.
  3. Select the appropriate change request approval workflow, and click Edit.
  4. Click Next until you get to the Steps page. Click Add > Send Approval Email.

  5. Set Step Execution to Execute when conditions are met and click Edit.
  6. Enter #{request.requester.email} -ne #{target.settings.primaryOwner.email} as the condition, and click OK.
  7. Set the recipient as #{target.settings.primaryOwner.email} in the Address List.
  8. Update the Email Subject and Email Body as suitable for your needs, and when you are finished, click Next until you complete the wizard. Click Finish.

With this configuration in place, primary owners must approve any changes requested to their VMs before any action takes place.