I would simply create a CMDB_Query_editor group+role and have it as the only pass which would allow user to see this module. That means removing the default role from the module restriction and replacing it with this new one. You can easily manage the group and add new people there. If you don't want for this module to be accessible to everyone ITIL+ as default, then this is I think the most simple solution. Disclaimer - I am not a SN personnel or some SN guru. I am quite an under-average developer.