Admin for devs/BAs after a clone?

Chris H2 · ‎10-19-2020

Dear community,

After a clone from production to one of our 8 sub-production instances, we need members of certain groups (Developers, Testers, BAs, Trainers) to have/keep the admin role. These groups/users don't have admin in Prod due to our organisation's security policy. I don't want to use Data Preserve Rules, otherwise I would have to manually set up new sub-production admins (/ remove this access) in each instance every time someone joins/leaves.

I tried writing a Clone Cleanup Script to automatically reset admin access every time there is a clone. This works when I run it as a background script, but fails when the clone runs:

// Grant admin to specified groups in all sub-prod instances
var logSource = 'PostCloneScript';

// List of groups to grant admin role
var subProdAdminGroups = [
	'0a52d3dcd7011200f2d224837e6103f2', // ServiceNow Developers
	'f10d0444ffa33100158bfffffffffff3', // ServiceNow Testers
	'3cc3c7680b982300cac6c08393673a03', // ServiceNow BAs
	'2156c3a80b982300cac6c08393673a7e' // ServiceNow Trainers
];

// Delegate admin role to each group
var message = ['Delegating admin to groups'];
for(var i in subProdAdminGroups){
	var groupID = subProdAdminGroups[i];

	// Get group GR to print name in logs
	var groupGR = new GlideRecord('sys_user_group');
	if(groupGR.get(groupID)){
		try{
			var groupName = groupGR.getValue('name');

			// Check if group already has admin role
			var groupRoleGR = new GlideRecord('sys_group_has_role');
			groupRoleGR.setLimit(1);
			groupRoleGR.addQuery('role','2831a114c611228501d4ea6c309d626d'); // admin
			groupRoleGR.addQuery('group',groupID);
			groupRoleGR.query();

			// Remove if group already has admin; clean assignment is better for inherited roles
			if(groupRoleGR.next()){
				groupRoleGR.deleteRecord();
			}

			// Delegate admin role
			groupRoleGR.initialize();
			groupRoleGR.setValue('role','2831a114c611228501d4ea6c309d626d'); // admin
			groupRoleGR.setValue('group',groupID);
			var result = groupRoleGR.insert();
			message.push((result ? 'Success - admin role' : 'Error - admin role not') + ' granted to group ' + groupName + '\n');
		}
		catch(e){
			gs.log('Error message thrown when trying to delegate admin to group:\n' + e.message,logSource);
		}
	}
	else{
		message.push(['Error - group with sys_id ',groupID,' does not exist'].join(''));
	}
}

gs.log(message.join('\n'),logSource);

There are no errors caught on line 42; the logged message on line 51 appears confirming failure, but the following warning does appear in the logs:

User system does not have the role 'sn_templated_snip.template_snippet_admin' which is required to grant/remove 'sn_templated_snip.template_snippet_admin' under application administration, Resource: 'record/sys_group_has_role/create'

(Source: RoleAccessHandler)

It looks like the system user lacks the access to delegate one of the admin-inherited roles. Is there any way to grant the system user this access?

Otherwise, I can't be the only one with this problem - does anyone else use anything besides a post-clone cleanup script?

Look forward to hearing everyone's thoughts,

Chris

Kieran Anson · ‎10-19-2020

This is part of KB0784172 which was fixed in London (PRB1281549).

Might be worth reaching out to HI to ensure your system user has this role added and your instance is correctly patched to avoid this sort of mishap in other areas.

View solution in original post

Chris H2 · ‎10-21-2020

Hi Kieran,

A HI Case managed to indicate that this is indeed the same Problem as you had indicated, which is targeted for resolution in Orlando Patch 9 (due late November), and Paris. All of course subject to the usual 'safe harbor' caveats.

Thanks for your help.

Kind regards,
Chris

Willem · ‎10-21-2020

Thanks for getting back to us Chris!

@Kieran Anson great find!

Kieran Anson · ‎10-21-2020

Ah glad to hear they've got a patch lined up and thanks for getting back and adding value to this post. Will help others with this issue and hopefully save them some time and stress.