Add user to "ServiceNow Admins" group with script include

mr_t
Kilo Contributor

‎05-10-2022 08:57 AM

Hi, 

I have a UI script that creates a button in the header with onclick event that calls a script include.

This script include should add current user to "ServiceNow Admins" group.

Here's part of the script include (irrelevant parts are omitted):

var gr = new GlideRecord('sys_user_grmember');
gr.initialize();
gr.group = '507aaa8c1b9e2c108a347c95464bcbb4'; //sys_id of ServiceNow Admins group
gr.user = gs.getUserID();				
gr.insert();

When I click the button I get an error saying: "User tomtest without admin/security_admin role is not allowed to grant admin/security_admin-containing roles or groups." where tomtest is the user clicking the button.

I've tried elevating role before inserting the record:

var gr = new GlideRecord('sys_user_grmember');
gr.initialize();
gr.group = '507aaa8c1b9e2c108a347c95464bcbb4'; //sys_id of ServiceNow Admins group
gr.user = gs.getUserID();
GlideSecurityManager.get().enableElevatedRole('security_admin');				
gr.insert();

but this just gives me a generic error: 

16:52:58.746 Enabling elevated role: security_admin
16:52:58.746 Security restricted: Failed attempt to enabling elevated role: security_admin
 

Is there another way to add a user to ServiceNow Admins group through a script include that's executed via UI Script?
 
Aren't server side scripts executed by a service account with elevated permissions?

Any help would be appreciated.
T.

 

Labels:
0 Helpfuls
  • 1,099 Views
5 REPLIES 5

Allen Andreas
Administrator
Administrator

‎05-10-2022 09:43 AM

Hi,

No script is ran automatically with elevated permissions. You'd have to elevate yourself to be able to do that. If this user is clicking the button, the session is ran by them, and they wouldn't have the permissions to be able to do that. You'd want to impersonate an appropriate user, then elevate, then do the insert.

Example:

gs.getSession().impersonate('sys_id_of_appropriate_user_to_use');  // impersonate user with security_admin role, that is your admin account
GlideSecurityManager.get().enableElevatedRole('security_admin');

Alternatively, due to timing, etc. you may need to fire an event and use a script action, for example, to have this ran as "system" versus the user and their session.

Please mark reply as Helpful/Correct, if applicable. Thanks!

 


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

mr_t
Kilo Contributor
In response to Allen Andreas

‎05-16-2022 09:42 AM

Hi Allen, 

Thank you for the response. 

This would work if the user under which the script runs had impersonate rights. In my case the users doesn't, and I don't want the user to have it. 

Could you give me some guidance on how to run this script as "system"?

 

Many thanks, 

Tom.

0 Helpfuls

Allen Andreas
Administrator
Administrator
In response to mr_t

‎05-16-2022 04:49 PM

Hi,

Did you try? I don't believe they need to have impersonate rights as this is ran in other use cases and works fine. I'd recommend trying it yourself and seeing if it works. I've seen this used in cases of a guest user, etc.

If not, then you'd want to create an event and then associate that event to a script action, which then runs the script async as the system. There's other ways as well, but without getting into a full lesson on the platform, the event > script action is an easy one to get going.

Create event: https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/platform-events/task...

Create script action: https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/platform-events/refe...

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

mr_t
Kilo Contributor
In response to Allen Andreas

‎05-17-2022 09:55 AM

Hey, 

Yes, I did try it before, and got this error (where the sys id is of an admin user)

find_real_file.png

Here's part of the script (in case I am doing something wrong?)

 

var gr = new GlideRecord('sys_user_grmember');
var originalUserID = gs.getUserID();

gr.initialize();
gr.group = '507aaa8c1b9e2c108a347c95464bcbb4';
gr.user = gs.getUserID();

gs.getSession().impersonate('eb20363c1be934108bb620e0b24bcb2f');  
GlideSecurityManager.get().enableElevatedRole('security_admin');
			
gr.insert();
				
gs.getSession().impersonate(originalUserID);

I will take a look at the event>script action method you have suggested. 

Thanks again for your replies.

 

T.

Preview file
8 KB
Preview file
17 KB
0 Helpfuls