itil_user group read only because of security role issue

frank121 · ‎04-02-2019

Hi all, we just upgraded our DEV instance to Madrid and running into a little problem with some security incident roles...

It seems that for some reason our itil_user group is being locked down to read only format which is not allowing us to add users to the group. We get a "user is not authorized to perform this action" error. We can however bypass this by elevating our roles to sn_si.admin role. After doing some digging we have a 'sn_si.external' role that is apart of our 'itil' role and it seems that is causing the lockdown of the group because the itil role is attached to the group. I have removed the sn_si.external role from the itil role and that did the trick but in our Jakarta instance we have the sn_si.external role added to our itil role and we are able to edit our itil user group without elevation. Any ideas on why this might be occurring?

I tried disabling all sys_user group ACLs, i tried adding user_admin to the sn_si.admin role and nothing seems to work.

Akhila8 · ‎12-18-2019

yes, I did that even then, Unable to add.

Tried in another way as well, I have kept only core.admin role in the group. Even then the same. As soon as any HR role is added to the group this is behaving in this way in NY. If any another role other than HR role then everything is fine.

shanmukhasai · ‎01-25-2020

Hello Akhila,

I am facing the same issue, HR Admin is unable to add members to a group if the Group contains 'sn_hr_core.admin' Role (OR) 'sn_hr_core.global_case_writer' Role (OR) 'sn_hr_core.er_agent' Role. Were you able to resolve this issue, have you tried it with the HI Team? Please let me know .

Thank you so much !

frank121 · ‎12-18-2019

I have fixed this situation. Our itil_user group contained a role called si_external which is a role that only when elevated to si admin can use in order to edit groups. We just needed to remove that role from our itil_user group and created a new group to hold the si_external role in. This will allow us to edit the original itil_user group.

Make sure your group does not contain a role that is locked down to a elevated role. Also, make sure that you have no roles in that groups that give other roles, for instance itil_admin role gives a whole bunch of roles with it. If one of those roles is a role that needs to be elevated it will lock the group down. Hope this helps.

Akhila8 · ‎12-18-2019

Is si.external role a customized role. I am using sn_hr_core.admin role and as you see in the screenshot provided, the elevated privileges are false.