How do I provide access to users to create instance scan checks?

Peter20 · ‎06-04-2025

From the Create a Check KB, it indicates you need scan_admin. I'm not finding that role on my PDI and according to this blog post, that role has been depreciated.

I have a use case where I need to selectively provide users with the ability to create instance scans and providing them with admin is out of the question. This is a functionality that SHOULD be provided OOB by Servicenow, so I am not understanding why this was deprecated and users have to recreate this themselves.

Nevertheless, I tried recreating it using ACLs. I have created CRUD ACLs for the below tables. However, when I impersonate a user to create a check, I am not getting the entire form. See the 2 screenshots for what it should look like (as admin in PDI) vs when I impersonate a user and what it actually looks like for the missing "conditions" and "advanced" fields that are not there.

I am looking for an OOB solution to provide or support on modifying the existing ACLs to be able to create the checks.

scan_check
1. Permissions: create / read / write / delete
scan_check_suite
1. Permissions: create / read / write / delete
scan_table_check
scan_column_type_check
scan_script_only_check
scan_linter_check

Bert_c1 · ‎06-04-2025

I have the role 'scan_user' in my PDI with description "Users with this role can initiate and view the results of scans."

I haven't tested though.

Peter20 · ‎06-04-2025

Sorry, but this is not helpful. scan_user is the ability to INITIATE scans, I need an OOB role that will create scans.

Loren Parker1 · ‎06-04-2025

Peter, I believe only users with admin can create scans. The scan_user role is limited to running and viewing scans, not creating. Best of luck!

Peter20 · ‎06-04-2025

Hi Loren, thanks for your response. This doesn't seem like it fulfills the principles of "least privilege" as there are use cases where a user needs to create an instance scan, but it's inappropriate for them to receive admin.