Delegated Development: Can developer edit ACLs without security admin?

bgworld
Giga Expert

‎08-29-2019 03:25 PM

Hi All,

We are setting up teams in a large organization where one instance is used by many teams to developer various scoped applications. To manage application access for developers, we are using delegated development.

 

Challenge: After giving "manage ACLs and Roles" access developers are read the ACLs but not able to edit or create new ACLs. 

When using delegated development, is security admin role is still required to edit ACLs? If yes, how do I control that developers are able to edit ACLs only for their application not other applications.

find_real_file.png

 

Preview file
78 KB
0 Helpfuls
  • 1,336 Views
5 REPLIES 5

Brandon Barret1
Mega Sage

‎08-29-2019 04:31 PM

This documentation should tell you more, but you should be able to set permissions for your developer to read acl’s but you may need to give them elevated permissions to create them:

 

https://docs.servicenow.com/bundle/newyork-application-development/page/build/applications/task/t_AddADeveloper.html

0 Helpfuls

bgworld
Giga Expert
In response to Brandon Barret1

‎08-30-2019 06:48 AM

Thank you for replying Brandon. I referred to the post but it does not mention clearly if read or write access is provided. Here is the text from the docs site.

Manage ACLs & RolesGrants the assigned developer access to security-related file types such as access controls and user roles.
0 Helpfuls

bgworld
Giga Expert

‎08-30-2019 06:47 AM

Thank you for replying Brandon. I referred to the post but it does not mention clearly if read or write access is provided. Here is the text from the docs site.

Manage ACLs & RolesGrants the assigned developer access to security-related file types such as access controls and user roles.
0 Helpfuls

Allen Andreas
Administrator
Administrator

‎09-04-2019 07:12 PM

Hi,

You'd need to give security_admin to them to be able to work with ACLs...are far as how to limit what ACLs they can alter...you'd most likely need to go with a BR query on the ACL table...and set conditions on what they can see (so limit their query to just table (x,y,z). It' a bit of an odd situation because giving them permission to ACLs..sort of opens the door...then trying to limit it with a BR could be sketchy. You'd want to try that out and see how it goes.

https://docs.servicenow.com/bundle/newyork-application-development/page/script/business-rules/concep...

So you may have to tap in to how they are separated in your instance. Is it my company or department or something? Somehow you'll need to query for that flag...then use that flag to define their query for the ACL table.

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls