Create an auditor role,

Lucien1 · ‎08-04-2014

Hi all,

We are just about to have an audit and I have been asked to come up with a solution on allowing the auditors "Read Only" access into SN. After reading all the forums to see what other admins have done, I am still lost as to what route is best. Now I know ACL's are what a lot of guys have said, but as there has to be a better way in doing this and I am a bit weary about going down this route as we will be upgrading from Calgary to Eureka whilst they complete the audit.

Can anyone out there that has completed this please share what they have done?

Thanks all,

Lucien

ben_hollifield · ‎08-05-2014

Hey Lucien,

Unfortunately, this solution requires the use of those roles. To allow visibility without any role usage, you would certainly have to go down the ACL route (no fun). Depending on the length of the audit engagement, perhaps you could shift things around temporarily to accommodate the auditors? Sorry there isn't an easier role-free solution!

View solution in original post

Wade Clairmont · ‎10-08-2014

That is a great idea, however, we do not have an instance to do this. During implementation we decided to only go with 2 instances, DEV and PRD. I am constantly seeing the requirements for 3 or more instances over and over again.

Thanks again.

garyopela · ‎07-12-2016

Hey, I did want to update this. Service-Now now has the snc_read_only role which will simply revoke write/delete access platform wide. So you can create an account, give it both admin and snc_read_only, and they will be able to see everything, but change nothing. Unfortunately for whoever was having issue with roles, this does require roles. It's hard to govern anything security related without using roles, as roles are the basis for security.

Lucien1 · ‎07-14-2016

Hi Gary,

We came across this role a few days before you updated this forum. The new role works great (if you are an external auditor and don't need to log personal tickets either via ESS or the self service homepage).

There is a slight flaw, we have internal auditors that regularly validate our work. They require the ability to have read only rights. This role helps with that, however they can no longer use any form of self service functionality and update any record that they are considered to be the owner of EG, incident or request.

Anyone that decides to use this role need to understand that there are drawbacks where there users lose functionality that they might require.

Regards,

Lucien

garyopela · ‎07-14-2016

Yes, that is a very good point. We have, for this one customer, set up where we are going to create separate accounts that can be used with this purpose. The other idea is to have a catalog item where they can 'check out' this ability, it would then grant it to their regular accounts (which would make them read only tool wide) for a certain amount of time, then remove it and kill their session. They log back in and they are good to go. I think we're going to go the route of having accounts which they can check out that have this ability.

Lucien1 · ‎07-14-2016

I do like the checkout option and I can see potential with this function.

Thank you for the update and what you believe the route ServiceNow will take in resolving this tweak.

Regards,

Lucien