Prevent an admin from specific deletions in background script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
Hello,
is it possible to prevent background script deletion of only a specific table like sys_user for admin users?
So, for example:
We want to prevent, that users with admin role cannot execute deletion on the sys_user table.
Thank you in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
You can't stop it from background script.
you can create before delete BR on sys_user and check who is deleting it
But why would someone delete user via script from Production?
what's the actual requirement?
💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago - last edited 2 hours ago
Actual requirement is that we need to exclude a specific group of admin users from seeing and accessing specific data and also secure this style of setup to prevent these admins removing themselves again from this setup.
First part is already solved via group, role, security attribute and data filter.
Second part is also solved besides this background script execution "hole".
So, currently these specific admins could remove themselves from the group via script execution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
you want to stop them from deleting records from sys_user_grmember?
💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
Hi @Anton42
To prevent admins from executing dangerous deletions via background scripts, best practices involve leveraging Platform level security control rather than relying on the script's code itself.
Refer this ServiceNow Documentation: Restrict access to background script [Updated in Security Center 1.3 and 2.0] • Zurich Platform secu...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago - last edited 2 hours ago
That would block the whole background script execution which will be too much. We just want to prevent them from executing deletions on a specific table.
Anyways, I am wondering what the difference is between this property and the new "scripting governance" function....
