Enrolling ACR (Account Recovery Users) looses admin role when logged in

Nisha30 · ‎02-01-2024

Hi,

We have Multi SSO enabled for AUthentication (Azure)

LDAP for User provisioning

FOr Security hardening we have added users as ACR to be compliant

Issue: ACR users (have admin roles) when they log in are not having the admin roles anymore its only self-service .

If ACR looses the role there is no purpose as Account Recovery as user cant perform any SErviceNow tasks.

Can anyone help how to implement this. I have gone through ServiceNow documenttaion its straightforward but did not help.

Thanks

LearnUseThrive · ‎05-30-2024

I don't see it right now, but somewhere in the documentation I read that Account Recovery Users have very limited permissions to address certificate issues for login, to prevent a local account from having god mode admin permissions, so it should only be used to fix login issues, not for general administrative tasks.

View solution in original post

abhishek_s · ‎05-28-2025

Did it work for you? I tried this before seeing your suggestion and it did not work.

The non-ACR enabled admin account faces an "Username or password is invalid" error on /login.do.

The ACR enabled admin account can login on /login.do with access to only SSO / cert related configurations (which is by design).

Even we opted to disable ACR and ignore the Healthscan recommendation because we have a particular use case where admin login via UI is necessary.

Sravan Krishna · ‎07-08-2024

What happens to Service Accounts if we enable SSO, Any idea?

Rim1 · ‎07-17-2024

although it should not touch non-interactive logins, unfortunately, this was not the case when we enabled ACR - it killed many or our integrations in prod 🙂 apparently, there is a defect with ACR which we learned about it hard way, so be careful if you are planning to enable ACR 🙂

Defect with ACR: OAuth token fails to get access token when Account Recovery (ACR) is enabled on the instance - Known...