Prevent an admin from specific deletions in background script

Anton42
Tera Expert

Hello,

is it possible to prevent background script deletion of only a specific table like sys_user for admin users?

 

So, for example:

We want to prevent, that users with admin role cannot execute deletion on the sys_user table.

 

Thank you in advance.

10 REPLIES 10

Ankur Bawiskar
Tera Patron

@Anton42 

You can't stop it from background script.

you can create before delete BR on sys_user and check who is deleting it

But why would someone delete user via script from Production?

what's the actual requirement?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Actual requirement is that we need to exclude a specific group of admin users from seeing and accessing specific data and also secure this style of setup to prevent these admins removing themselves again from this setup.

First part is already solved via group, role, security attribute and data filter.

Second part is also solved besides this background script execution "hole".

 

So, currently these specific admins could remove themselves from the group via script execution

@Anton42 

you want to stop them from deleting records from sys_user_grmember?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Tanushree Maiti
Mega Sage

Hi @Anton42 

 

To prevent admins from executing dangerous deletions via background scripts, best practices involve leveraging Platform level security control rather than relying on the script's code itself.

 

Refer this ServiceNow Documentation: Restrict access to background script [Updated in Security Center 1.3 and 2.0] • Zurich Platform secu...

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

That would block the whole background script execution which will be too much. We just want to prevent them from executing deletions on a specific table.

 

Anyways, I am wondering what the difference is between this property and the new "scripting governance" function....