PrashantLearnIT
Giga Sage
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
05-08-2024
02:27 AM
Hello Everyone,
Here's some security advice for almost all environments regarding the flow_designer role.
Some ServiceNow-provided roles out-of-the-box inherit the Flow Designer (flow_designer) role which may be of concern for most customers, because the Flow Designer role grants the ability to effectively modify any record in the instance. This means that a Flow Designer user can grant themselves the admin role.
Some of the roles which have contained this role include:
- catalog_admin
- catalog_editor
- sn_customerservice_manager
- catalog_manager
- virtual_agent_admin
In the past I've raised this with ServiceNow support, and apparently some action has been taken by ServiceNow in Rome to resolve this (removing inheritance), but it would be good stewardship to let our customers know about this and what they can do to fix it and keep an eye on this in future, or for instances which aren't yet upgraded to Rome. I've seen examples of some roles which still grant flow_designer even in Rome.
To find out how exposed your customer might be firstly, you can see how many users have been granted this role:
<instance>/sys_user_has_role_list.do?sysparm_query=role%3D5a6498600b3122008e650851c5673aff
Secondly, you can see which roles are granting flow_designer:
<instance>/sys_user_role_contains_list.do?sysparm_query=contains%3D5a6498600b3122008e650851c5673aff
Once you've found roles that contain the role, you can remove it from the "Contains Role" related list for the role that is granting that access.
If you're looking at granting Flow Designer delegated development to users in an environment, Studio provides a way of granting a delegated version of Flow Designer to your citizen developers. You need to make sure, however that you use Flow Designer Content Filtering to restrict the type of Flow Designer actions and tables that your delegated developers can access, otherwise delegated development still allows these users ability to modify anything in the environment.
If my content helped you in anyway, please mark this content as BOOKMARK, SUBSCRIBE & HELPFUL
Best Regards,
Prashant Kumar (LearnIT)
YouTube Channel LearnIT: https://www.youtube.com/@learnitwithprashant
Blog LearnIT: https://medium.com/@LearnITbyPrashant
Prashant Kumar LinkedIn: https://www.linkedin.com/in/learnitbyprashant/
ServiceNow Community Prashant Kumar - https://www.servicenow.com/community/user/viewprofilepage/user-id/19635
- 292 Views
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
