How do I stop users with user_admin role adding themselves to the admin role?

Go to solution
Wayne Richmond
Tera Guru

‎05-17-2017 05:31 AM

I've given various IT staff the user_admin role so they can update user groups but I've noticed they're also able to give themselves the admin role. How can I prevent this?

I've tried changing the Read rule on the sys_user_role table to only include the role_delegator role (removing itil and user_admin) and while this appears to work, it has undesired knock-on effects elsewhere.

0 Helpfuls
  • 3,728 Views
1 ACCEPTED SOLUTION

Go to solution
Tim Deniston
Mega Sage

‎05-17-2017 05:38 AM

You would need a business rule on the sys_user_has_role table that aborts the insert of the User Role record if the user does not have Admin.



This should be run on Insert and onBefore.



// don't allow user_admin to assign admin role without already having admin:

function onBefore(current, previous) {

   var role = new GlideRecord("sys_user_role");

   role.get(current.role);


   if (role.getValue("name") == "admin" && !gs.hasRole('admin')) {

           gs.addErrorMessage(gs.getMessage("You cannot assign the admin role without already having the admin role."));

           current.setAbortAction(true);

   }

}

View solution in original post

9 REPLIES 9

Go to solution
Chuck Tomasi
Tera Patron

‎05-17-2017 05:37 AM

Hi Wayne,



Have you tried the no-tech approach first? Tell them - having the user_admin role is a trusted position. Adding admin to your own account is a violation of that trust much like we trust our email administrators not to read the CEO's confidential email. Violation of that trust may have consequences including termination.


Go to solution
Wayne Richmond
Tera Guru
In response to Chuck Tomasi

‎05-17-2017 05:41 AM

Thanks Chuck. Most people know this, however I'm trying to bring other areas of the business into using Service Now, teams like Legal and Internal Audit, and they ask questions like "who can see the tickets?". I always say 'only you and the system admins', which whilst true, doesn't extend to 'anyone who could give themselves access' which is at least 20 users.


Go to solution
Chuck Tomasi
Tera Patron
In response to Wayne Richmond

‎05-17-2017 05:46 AM

Thanks Wayne.



If data privacy is an issue, you may want to take a look at Application Administration. This is the method we use on the scoped HR app to keep out people with the 'admin' role from seeing the HR data. You need to be an HR admin, which is an extension of admin available to only a few, to see that special information.



I believe this came out in Istanbul (could be Helsinki, but need to check). Something to consider.


Go to solution
Tim Deniston
Mega Sage

‎05-17-2017 05:38 AM

You would need a business rule on the sys_user_has_role table that aborts the insert of the User Role record if the user does not have Admin.



This should be run on Insert and onBefore.



// don't allow user_admin to assign admin role without already having admin:

function onBefore(current, previous) {

   var role = new GlideRecord("sys_user_role");

   role.get(current.role);


   if (role.getValue("name") == "admin" && !gs.hasRole('admin')) {

           gs.addErrorMessage(gs.getMessage("You cannot assign the admin role without already having the admin role."));

           current.setAbortAction(true);

   }

}