Enrolling ACR (Account Recovery Users) looses admin role when logged in

Go to solution
Nisha30
Kilo Sage

‎02-01-2024 06:13 AM

Hi,

We have Multi SSO enabled for AUthentication (Azure)

LDAP for User provisioning

FOr Security hardening we have added users as ACR to be compliant

 

Issue: ACR users (have admin roles) when they log in are not having the admin roles anymore its only self-service .

 

If ACR looses the role there is no purpose as Account Recovery as user cant perform any SErviceNow tasks.

Can anyone help how to implement this. I have gone through ServiceNow documenttaion its straightforward but did not help.

Thanks

0 Helpfuls
  • 2,626 Views
1 ACCEPTED SOLUTION

Go to solution
LearnUseThrive
Mega Sage

‎05-30-2024 07:05 AM

I don't see it right now, but somewhere in the documentation I read that Account Recovery Users have very limited permissions to address certificate issues for login, to prevent a local account from having god mode admin permissions, so it should only be used to fix login issues, not for general administrative tasks. 

View solution in original post

12 REPLIES 12

Go to solution
dangileri1
Tera Expert
In response to mathieu_brule

‎05-30-2024 07:19 AM - edited ‎05-30-2024 07:21 AM

I ended up disabling and will get another session in with SN to review - conceptually it is a good, in reality, does not seem to work as expected, and impacts the account used.

 

We did create an account specifically for this, but that had unwanted consequences of it's own, hence why I disabled until we can dig in further.

 

If I get additional information I'll post it.

 

David

0 Helpfuls

Go to solution
Raj Kumar29
Tera Contributor
In response to dangileri1

‎07-09-2024 09:24 AM

If you have any additional information about enabling ACR in Production and it's impact. Could you please share??

 

0 Helpfuls

Go to solution
LearnUseThrive
Mega Sage
In response to mathieu_brule

‎07-03-2024 08:45 AM

@mathieu_brule wrote:

Yes, that's what I read too, but ACR prevents also from any local connexion...

So, as a consultant for my customer, I can't do anything in the platform if ACR is enabled (given as it's mandatory while activation multi SSO).

We ended up having our vendors use a third party identity provider to sign in now, CyberArk Idaptive. That way everyone's sso except the recovery account.

Go to solution
Nisha30
Kilo Sage
In response to LearnUseThrive

‎07-18-2024 02:05 AM

Thats true folks had a case raised with ServiceNow and it said enabling ACR will only have ACR role if there is any issue related to SSO , so it means platform admin capability is no more if that user has ACR enabled. 

We disable it in production to avoid that panic.

 

Thanks all for your inputs

0 Helpfuls

Go to solution
Sravan Krishna
Tera Contributor

‎07-03-2024 02:59 AM

I am also facing same issue, i think what we can do is...we can create a new admin account and use that account as Account Recovery (ACR). And we shouldn't enable ACR for remaining admin accounts. Hope this works.

 

Thanks,

Sravan Krishna