Mohit Kaushik
Mega Sage
Mega Sage

Hello everyone,

 

As you’re probably aware, the latest release of ServiceNow (Washington D.C.) introduced several exciting features aimed at enhancing our day to day works in ServiceNow. Among these, the time-limited user roles feature caught my attention. While there are existing articles and videos on this topic, I believe there are some valuable insights and nuances that might have been overlooked. In this article, I’ll delve into the specifics of time-limited user roles, their limitations, and practical use cases.

 

What are Time-Limited User Roles?
As the name suggests, time-limited user roles allow us to assign specific role to users for a predefined duration. This feature is particularly useful when we want users to perform specific tasks within a limited

timeframe. Whether it’s granting temporary elevated privileges or ensuring compliance with security policies, time-limited user roles offer flexibility and control.

 

Key Points to Consider
While the official documentation provides essential information, there are a few aspects that you won’t find explicitly documented as mentioned below:

 

Individual User Assignment: Unlike traditional roles that can be assigned to groups/users, time-limited user role must be granted to each user individually. Unfortunately, there isn’t an option to apply these roles to an entire group. It would be convenient if ServiceNow allowed group-based assignments, but for now, we’ll need to manage this at the user level.


Granting Access to Multiple Users: Suppose you need to provide time-limited access to specific roles for multiple users. In such cases, manual assignment becomes cumbersome. However, scripting might come to the rescue. By automating the assignment process, you can efficiently grant roles as needed. This will be a custom solution.


Duration Limitations: ServiceNow enforces a maximum duration for time-limited user roles. Currently, you cannot set a role to last longer than two weeks. This limitation is governed by a business rule associated with the sys_user_has_role_time_limited table. While it’s technically possible to modify this rule, but it is not advisable.

MohitKaushik_2-1710513109604.png


Visibility via Related Lists: To monitor time-limited roles, navigate to the “Time-Limited User Roles” module. Here, you’ll find a list of all time-limited roles assigned to users. But what if you’re viewing a user record or a role record directly? Fear not! You can easily add the related list named “Time-Limited User Roles” to both user and role records. This provides a quick overview of any time-limited roles associated with the user or role.

 

MohitKaushik_3-1710515636409.png

 

 

MohitKaushik_0-1710512720178.png

MohitKaushik_1-1710512781999.png

 


Conclusion
In summary, time-limited user roles offer a powerful mechanism for managing access rights within specific timeframes. While they have their limitations, understanding these things allows us to make informed decisions. So, the next time you encounter a scenario where temporary access is crucial, consider leveraging this feature.

 

If you found this article helpful or learned something new, please mark it as such. Feel free to bookmark it for future reference and stay tuned for more updates!

 

 

Thanks,

Mohit Kaushik

ServiceNow MVP (2023-2024)

 

Comments
saroj-patel
Tera Contributor

But its not deactivating the time limit user record after  time limit  expired

sarojpatel_0-1711354930690.png

 

Gustavo Olivei1
Tera Contributor

@saroj-patel indeed, they don't inactivate the record but the accesses are removed after the End time (I guess using events or something related). So it works.

 

@Mohit Kaushik nice article and in my opinion, this functionality should be improved in coming releases (for example: adding a property to allow an extension of more than 2 weeks...) and fixes small bugs such as the active field and make read-only, allow start_date > end_date...

Mohit Kaushik
Mega Sage
Mega Sage

@saroj-patel as @Gustavo Olivei1 mentioned this access might be getting removed from backend, however I do not have any documentation or a point of source where it is mentioned. 

@Gustavo Olivei1 I agree with you, the functionality should definitely improve in future. However, increasing the time more than 2 weeks might have its own disadvantages. It may create an impact on your licensing as there is no information from ServiceNow on licensing part related to this functionality.

NguyễnMinhĐ
Tera Explorer

how to extend the time assign role for a user i need to extend it to 30 days but servicenow only allow 5 days

James Fricker
Tera Guru

I created an insert BR that runs before the time limit checking BR. It splits the entered time period up into 5 day chunks and creates a new record for each 5 day chunk. So if the user entered a 30 day period the BR creates 5 new records of 5 days each plus the original record with an adjusted start time. So 6 records in total, of 5 days each (=30days), all for the same user and role.

Version history
Last update:
‎03-15-2024 08:21 AM
Updated by:
Contributors