Admin as an elevated role … do you have problems with this?

Mark_Bailey · ‎02-20-2017

I've always had my Admin role set to elevated for both security reasons and to ensure I am not using my admin rights unless really needed. Twice now ServiceNow has told me I should not have admin set to elevated, it causes lots of problems. In order for me to separate the roles I would need two ID's. My itil and my. My management is not signing off on me using two paid licenses.

Is anyone else in the same situation as I?

Do you just use two paid licenses?

Mwatkins · ‎02-20-2017

Hi Mark,

I looked at that incident you mentioned. After reading through the notes, I noticed that the last update in the incident is as follows,

"Hi Mark,

I followed up on this issue and found that your out of box "Delete" ui action for list was modified.

There is an update you are missing, so I am attaching the out of box "Delete" ui action. Please import it into your system to resolve your issue.

I have confirmed that deletes on incident work now."

This makes me think the problem was not the elevated admin privileges, but, in fact, the real problem was the modifications to the "Delete" ui action. Could my understanding be correct? I am especially suspicious because on my demo instance, running Helsinki, I was able to successfully use elevated admin to delete multiple incidents.

Steps I took:

1. I activated the "elevated privilege" checkbox on the admin role,

2. logged out, logged back in

3. elevated to admin

4. opened the list of active incidents

5. checked all incidents on the list

6. clicked the "delete" drop down item from the list view

7. clicked the "continue" button in the multiple delete warning message popup

8. confirmed all incidents selected in step #6 were successfully deleted

My best guess is that the problem was actually not caused by the elevated admin role. I don't see any reason to believe that the way you are using the "elevated privilege" checkbox will not work.

Regards, Matthew

View solution in original post

Mwatkins · ‎02-20-2017

Can you explain what you mean by "I've always had my Admin role set to elevated"? My understanding of having a role set to "elevated" means that it is a way to gain temporary extra privileges manually after a user has logged in. (see Elevated privilege in the product doc)

Can you give the specifics of the situations where ServiceNow has said this was a problem?

Mark_Bailey · ‎02-20-2017

Your right about the elevated role granting temporary admin functions in my case.

This means I am usually just a ITIL person, and only elevate the role when I am doing development work.

If I remember correctly I did this as an elevated role as it was recommended by ServiceNow as extra security a few years back. (I may be wrong)

I can't give specific examples of why they tell me this is not recommended. I only bring it up because it was cited to me again today when a person working my UI problem incident said that is not recommended. It can cause a lot of problems. It has always been UI issues when they tell me this.

Mwatkins · ‎02-20-2017

Ah... I understand now. Initially, ServiceNow recommended that you mark the "elevated_privilege" field on the "admin" role form. That way, when you log in, you don't automatically have the admin role until you manually select to elevate. Since that time you have run into problems with the UI that ServiceNow has tracked back to using the admin role as an elevated privilege. Interesting.

There is nowhere in the product doc that specifically says it is okay or not okay to do this. It seems like probably a grey area that was never considered in the functionality. The use cases that the product documentation talks about are all for "sibling" roles to the admin role. In other words, someone is already an admin and they need to elevate to a sibling role before doing some sensitive operations. Let me see what else I can find about this.

Mark_Bailey · ‎02-20-2017

You are 100% correct.

I don't think it became an issue until Helsinki but since it worked until then, it's a hard sell for me to say it is no longer a good practice because of how this behaves in our new releases.

With that said, I am really interested in how other people are handling this.