How do I stop users with user_admin role adding themselves to the admin role?

Wayne Richmond
Tera Guru

I've given various IT staff the user_admin role so they can update user groups but I've noticed they're also able to give themselves the admin role. How can I prevent this?

I've tried changing the Read rule on the sys_user_role table to only include the role_delegator role (removing itil and user_admin) and while this appears to work, it has undesired knock-on effects elsewhere.

1 ACCEPTED SOLUTION

Tim Deniston
Mega Sage
Mega Sage

You would need a business rule on the sys_user_has_role table that aborts the insert of the User Role record if the user does not have Admin.



This should be run on Insert and onBefore.



// don't allow user_admin to assign admin role without already having admin:


function onBefore(current, previous) {


  var role = new GlideRecord("sys_user_role");


  role.get(current.role);



  if (role.getValue("name") == "admin" && !gs.hasRole('admin')) {


          gs.addErrorMessage(gs.getMessage("You cannot assign the admin role without already having the admin role."));


          current.setAbortAction(true);


  }


}


View solution in original post

9 REPLIES 9

Chuck Tomasi
Tera Patron

Hi Wayne,



Have you tried the no-tech approach first? Tell them - having the user_admin role is a trusted position. Adding admin to your own account is a violation of that trust much like we trust our email administrators not to read the CEO's confidential email. Violation of that trust may have consequences including termination.


Thanks Chuck. Most people know this, however I'm trying to bring other areas of the business into using Service Now, teams like Legal and Internal Audit, and they ask questions like "who can see the tickets?". I always say 'only you and the system admins', which whilst true, doesn't extend to 'anyone who could give themselves access' which is at least 20 users.


Thanks Wayne.



If data privacy is an issue, you may want to take a look at Application Administration. This is the method we use on the scoped HR app to keep out people with the 'admin' role from seeing the HR data. You need to be an HR admin, which is an extension of admin available to only a few, to see that special information.



I believe this came out in Istanbul (could be Helsinki, but need to check). Something to consider.


Tim Deniston
Mega Sage
Mega Sage

You would need a business rule on the sys_user_has_role table that aborts the insert of the User Role record if the user does not have Admin.



This should be run on Insert and onBefore.



// don't allow user_admin to assign admin role without already having admin:


function onBefore(current, previous) {


  var role = new GlideRecord("sys_user_role");


  role.get(current.role);



  if (role.getValue("name") == "admin" && !gs.hasRole('admin')) {


          gs.addErrorMessage(gs.getMessage("You cannot assign the admin role without already having the admin role."));


          current.setAbortAction(true);


  }


}