How to define a new role which can access system tables?

gee · ‎01-31-2017

Hi Team,

I am looking for defining a new role which can access system tables, such as the following tables.

sys_domain (Domains)
sys_glide_object (Field class)
sys_audit_delete (Audit Deleted Record)
sys_db_object (Database objects)
sys_dictionary (Dictionary Entry)

Current system property "glide.sm.default_mode" is set as Deny.

We do not want admin & snc_read_only combination.

Testing failed when we given READ *.* to all tables for a new role.

Is there any way to define new role to access these tables?

Appreciate your valuable suggestions.

Thanks & Regards,

Gee

Chuck Tomasi · ‎01-31-2017

Two options:

Either use admin+snc_read_only like you noted above.

-or-

Create a new role for this integration and go to each table's ACL and add read-access for that role then apply it to the account doing the connection/integration with ServiceNow.

Docs: Access control rules

Docs: Contextual security

Security Best Practices - ServiceNow Wiki

View solution in original post

Chuck Tomasi · ‎01-31-2017

Hi Gee,

Leave the property the way it is (deny). Changing that can have serious security ramifications, requiring you to identify all open access and secure it, rather than (deny) defaulting to closed, and identifying where you need to open things up.

Can you share how you gave read access to the user trying to access the table?

gee · ‎02-01-2017

Hi Chuck,

Many thanks for the clarification. Sys tables requires specific/named ACL definition.

Best Regards,

Gee

Chuck Tomasi · ‎02-01-2017

Correct. Let me know if you need additional help on this.

Note: When granting read access to users or groups, be careful as this could impact your licensing. By default users only have access to their own records (created by/opened by them.) Approvers can see the records they approve, and if you go beyond that you may have license implications. Be sure you understand the cost ramifications with your ServiceNow account rep before opening access too far.