Can a developer create ACLs without having admin or security_admin role?

MP22 · ‎07-04-2020

Several developers are using a shared instance of ServiceNow, each with his/her own scope. Without granting admin or security_admin role to the developers, is there a way to assign roles to the developers such that they can create ACLs within their individual scopes? Is so, what roles should they be assigned.

Thank you for your help.

MrMuhammad · ‎07-04-2020

Hi @MP ,

No, OOB creating ACL needs highest privileges security_admin even admin cannot play with ACLs. However, you can create a new role and add to sys_security_admin create/Read/write ACL's condition but I would never recommend as it could be high security risk.

Please mark this correct & helpful if it answered your question.

Thanks & Regards,
Sharjeel

Regards,
Muhammad

MP22 · ‎07-04-2020

Hi Sharjeel.

Thank you for your reply. We need this only in the dev environment (not in prod). So I would like to explore this further or at least understand the risks better.

If they are assigned the sys_security_admin role, could it be limited to just that developer's scope? Or would it cause the developer to gain access to all scopes?

Thanks!

MrMuhammad · ‎07-04-2020

Hi MP,

Granting sys_security_admin role to developer can expose high security settings of instance i.e Instance Security Dashboard, high security system properties, Authorizations etc. This role is not limited to application scope. Developer with this role has access to all the scopes and security settings.

For Scoped Application you can allow delegate developers to manage ACLs under Security and Entitlements of Manage developer settings.

Please refer to below docs.

https://docs.servicenow.com/bundle/london-application-development/page/build/applications/concept/c_...

Please mark this correct & helpful if it answered your question.

Thanks & Regards,
Sharjeel

Regards,
Muhammad

MP22 · ‎07-05-2020

Thanks, Sharjeel. Appreciate your taking the time to reply.