All things about time limited user role

sachinbhasin11
Tera Guru
Tera Guru

on ‎08-16-2024 12:43 AM

This article covers the feature that came out in Washington DC release first, this was a long standing ask from customers to have time limited user role assigned to users for a specific purpose. Some use cases (but not limited to below) are :

 

  1. If you want a person to be the admin for a certain duration to perform certain task while you are away or busy
  2. If you want to give read only access (snc_read_only) to the user to limit their actions on the table on which they already have access typically for audit purposes
  3. You want a user to impersonate for a certain time duration

 

Now the fine details around this functionality are below

 

  1. It only allows the following roles to be assigned
    1. Admin
    2. snc_read_only
    3. impersonate

 

This means it doesn’t allow any other role for any application that comes as part of baseline such as itil, hr related etc.

 

  1. Unlike ServiceNow suggested method of adding roles to groups, this method only allows adding roles to individual user.
  2. There is a system property that defines the maximum duration (in days) for which time limited roles are active, this system property is called ‘glide.security.timelimited.roles.allowed_max_days’. Default value is ‘5’ days. Note: Only uses with ‘Maint’ role can edit this property
  3. In the platform, roles are session-based. However, if roles are granted through the time-based roles feature, they may not persist for the entire session if the session extends beyond the end time specified in the time-based role record i.e. The roles are revoked as soon as mentioned end time on the time-based role record is reached
  4.  If the user's "admin" role is part of the time-based role functionality, users with a time-based admin role have all the regular privileges of a permanent admin. One such privilege is the ability to edit their time-based role records. This is true when logging in as the user, but impersonation only gives read access to these records. Note that the admin user can extend the time limited user record for only 5 more days again by modifying the start and end dates on the record
  5. The time limited user records have ‘Active=true’ that remains true even after mentioned end time has passed. However, the roles will be revoked from the user.
  6. Time limited roles assigned to user and history can be viewed in user record under 'time-limited user role 'related list. This related list is not available by default but can be configured using configure -> related lists on the user form. Similarly, 'time-limited user role 'related list can be added on role record.

 

sachinbhasin11_0-1723794036579.png

 

Here is how the security access to "sys_user_has_time_limitied_role" table works

 

  Create Access:

  Admin
  Also include time-limited admin role

  Read Access:

  1. ITIL

  2. user_admin

  3. role_delegator

  Delete Access:

  Same as Create access

  Report Access:

  Admin

 

Note: if you want to play around further , see what happens when you assign all the 3 time-limited role to the same user 😊

 

 

Labels:
  • 3,131 Views
Comments
Mr Anderson
Tera Expert
‎09-22-2024 07:30 PM

Since write roles are maint, that suggests if needed we could ask Support to extend the amount of time or the roles allowed to be selected?

0 Helpfuls
sachinbhasin11
Tera Guru
Tera Guru
‎09-22-2024 07:51 PM

I think the roles allowed to be selected remains the same even if it's done by the 'maint' user

 

In terms of extending the access theoratically, i think they will be , but due to lack of role available to a non SN support user we have no means to test the behaviour.

0 Helpfuls
Community Alums
Not applicable
‎09-23-2024 01:16 AM

Some related items on the topic:

0 Helpfuls
Mr Anderson
Tera Expert
‎09-23-2024 07:14 AM

So I just tested this in my PDI where they have those System Properties open for writing (not sure if other maint Properties are like this?) and I was able to change the roles that could be selected and it seems to work fine.

As an example I added itil to the list of roles, then created a brand new role-less user and added a new time-based role record to that user for the itil role.  When I impersonated that user it popped-up the following message:

MrAnderson_0-1727100656253.png


So it does look like roles can be added without much hassle, though of course perhaps there are some caveats that I missed from my very limited test.

0 Helpfuls
sachinbhasin11
Tera Guru
Tera Guru
‎09-23-2024 05:29 PM

Hi @Mr Anderson , could you elaborate more? You mean you tried to create time-limited role by assigning yourself a 'maint' role? and it worked

0 Helpfuls
Mr Anderson
Tera Expert
‎09-23-2024 06:14 PM

@sachinbhasin11 

I didn't have to do anything do be able to change the 2 System Property values.  I checked several other System Properties with a write role of 'maint' and they were all open for me to change.  So I changed the 'glide.security.timelimited.roles.allowed_roles' Property to be 'admin,impersonator,snc_read_only,itil' and that's how I was able to carry out my test.  Not sure why I am able to change these Properties - perhaps you or someone else could check their PDI and see if they can as well?

0 Helpfuls
Version history
Last update:
‎08-16-2024 12:43 AM
Updated by:
Tera Guru
Contributors