Enrolling ACR (Account Recovery Users) looses admin role when logged in

Nisha30 · ‎02-01-2024

Hi,

We have Multi SSO enabled for AUthentication (Azure)

LDAP for User provisioning

FOr Security hardening we have added users as ACR to be compliant

Issue: ACR users (have admin roles) when they log in are not having the admin roles anymore its only self-service .

If ACR looses the role there is no purpose as Account Recovery as user cant perform any SErviceNow tasks.

Can anyone help how to implement this. I have gone through ServiceNow documenttaion its straightforward but did not help.

Thanks

LearnUseThrive · ‎05-30-2024

I don't see it right now, but somewhere in the documentation I read that Account Recovery Users have very limited permissions to address certificate issues for login, to prevent a local account from having god mode admin permissions, so it should only be used to fix login issues, not for general administrative tasks.

View solution in original post

mathieu_brule · ‎04-25-2024

Hi Nisha,

I've just faced the same issue, do you have any tips for recovering all admin access as an ACR user ?

Rim1 · ‎05-24-2024

what I noticed is that when you login with your own user account through ACR, you are actually logged in as ACR Recovery user, that's why you don't see your own roles, favorites, etc. hopefully, that account has enough permissions to sort out SSO issues 🙂

LearnUseThrive · ‎05-30-2024

I don't see it right now, but somewhere in the documentation I read that Account Recovery Users have very limited permissions to address certificate issues for login, to prevent a local account from having god mode admin permissions, so it should only be used to fix login issues, not for general administrative tasks.

mathieu_brule · ‎05-30-2024

Yes, that's what I read too, but ACR prevents also from any local connexion...

So, as a consultant for my customer, I can't do anything in the platform if ACR is enabled (given as it's mandatory while activation multi SSO).

My solution : disactivate ACR. 🙂