Admin as an elevated role … do you have problems with this?

Mark_Bailey · ‎02-20-2017

I've always had my Admin role set to elevated for both security reasons and to ensure I am not using my admin rights unless really needed. Twice now ServiceNow has told me I should not have admin set to elevated, it causes lots of problems. In order for me to separate the roles I would need two ID's. My itil and my. My management is not signing off on me using two paid licenses.

Is anyone else in the same situation as I?

Do you just use two paid licenses?

Mwatkins · ‎02-20-2017

Hi Mark,

I looked at that incident you mentioned. After reading through the notes, I noticed that the last update in the incident is as follows,

"Hi Mark,

I followed up on this issue and found that your out of box "Delete" ui action for list was modified.

There is an update you are missing, so I am attaching the out of box "Delete" ui action. Please import it into your system to resolve your issue.

I have confirmed that deletes on incident work now."

This makes me think the problem was not the elevated admin privileges, but, in fact, the real problem was the modifications to the "Delete" ui action. Could my understanding be correct? I am especially suspicious because on my demo instance, running Helsinki, I was able to successfully use elevated admin to delete multiple incidents.

Steps I took:

1. I activated the "elevated privilege" checkbox on the admin role,

2. logged out, logged back in

3. elevated to admin

4. opened the list of active incidents

5. checked all incidents on the list

6. clicked the "delete" drop down item from the list view

7. clicked the "continue" button in the multiple delete warning message popup

8. confirmed all incidents selected in step #6 were successfully deleted

My best guess is that the problem was actually not caused by the elevated admin role. I don't see any reason to believe that the way you are using the "elevated privilege" checkbox will not work.

Regards, Matthew

View solution in original post

Mark_Bailey · ‎02-21-2017

I'll save this thread, and the next time I am told it is not recommended to use the admin role as elevated I will refer them to this thread.

I appreciate all the time you took to look into this for me.

I promise you I have been told this on three occasions in the last four months, including yesterday.

Just as an internal follow up it might be a good idea to get with the Orlando teams and ask them internally if they know of issue with elevated privileges using the admin role, as I think that is where i always get told this from.

Richard101 · ‎08-28-2017

Mark (and any future readers),

I recently submitted this question to HI. This was their response:

I would not recommend making the admin role an "elevated" role. There is no issue with scheduled jobs (I tested this), but I found that the "Impersonate" option disappears, even after elevating. I then discovered a Problem Record that had been opened for this issue, PRB665862, but it was closed as "Won't fix" - After considering the severity and frequency of the issue, and the cost and risk of attempting a fix, it was decided not to address issue.

I also found another issue concerning admin an elevated role, where Form Designer changes are not saved. This also had an associated Problem Record, PRB652888, which was also closed as "Won't fix" for the same reasons detailed above.

The best solution is probably the one that you put forth: creating a new role that contains admin and making IT an elevated role. I can't foresee any issues there, but of course, test this out in a sub-production instance to be sure it will meet your needs.

Their answer make sense to me, and we will try testing creating a role that contains admin and making that an elevated role.