How do you handle users requesting admin role on a non-prod instance?

dfinnell
Kilo Explorer

‎05-31-2017 12:13 PM

I'm relatively new as an admin and feel leery about granting admin access to a developer, even if it is on non-prod. Are my concerns unfounded? If you do this, what is the best practice to follow? Any advice is appreciated.

Labels:
0 Helpfuls
  • 2,674 Views
5 REPLIES 5

sachin_namjoshi
Kilo Patron
Kilo Patron

‎05-31-2017 12:18 PM

Hi Donna,



You can grant admin role to developers for non-prod instance since they will need admin role to develop, customize and integrate and troubleshoot on platform.


As best practice, you could develop process ( build catalog item and workflow ) to grant admin role for non-prod instance so that they you can track justification and history of admin requests.


Usually, developers do not need admin role on production instance since Adminnistrator will be maintining production instance with their admin role.



Regards,


Sachin


0 Helpfuls

Jochen Geist
ServiceNow Employee
ServiceNow Employee

‎05-31-2017 12:26 PM 

Are my concerns unfounded?

Not all all. If you grant the admin role to an user, there is no foolproof way to stop them from making mistakes.



Based on what they need to configure, you might want to take a more detailed look at the various *_admin roles in the system.


e.g. the catalog_admin role allows users to manage the Service Catalog application, including Catalog categories and items.



Additionally for scopes apps, delegated development is also an option: Delegated development


0 Helpfuls

treycarroll
Giga Guru

‎05-31-2017 12:38 PM

Hi Donna,



ServiceNow developers must have admin rights to do their job.   The typical pattern is to do the work in a Dev instance and then move it to a QA/Test instance for testing.     Other "developers" are just customers and should not be granted admin on your system.   I find it helpful to instruct power-users on how to obtain their own dev instance from developer.servicenow.com.  



ServiceNow sub-prod instances are unique animals; changes in sub-prod are easily (accidentally) captured in update sets and moved into production.     Only members of the core dev/admin team (which communicates with other members regularly about changes) should have access.    



The data in sub-prod is ostensibly the same (albeit slightly behind) what is in prod, so all of the data privacy and security concerns are the same.   Admin allows users to bypass most ACLs and get to almost anything: Security Incidents, PII, Risk Exceptions, user data protected by foreign privacy laws, sensitive legal-hold related records, etc.     I would refer these users to audit.     Our audit team is scrupulous about minimizing the number of users with admin access on our system.   We even had to create custom functionality to control / log all admin access to our system.



We have the luxury here of having a Lab instance.     If somebody is vetted and absolutely must have access, we grant them admin access there.



Regards,



Trey Carroll


ServiceNow Dev Team Lead


GM Financial


randrews
Tera Guru

‎05-31-2017 02:44 PM

for us it depends on the type of developer... if it is business IT developer we ONLY allow it in sandbox... for SNOW developers they need it in all non-prod environments... they can't select an update set without admin rights after all.


0 Helpfuls