Regarding roles in Scoped Application

Pattathil
Tera Contributor

‎10-12-2017 07:18 AM

Hi,  

This is regarding the role connected to the application we are creating. In case an end user needs to view the application what role must be provided?

 

Warm Regards

Kiren Kishore Pattathil

Labels:
0 Helpfuls
  • 4,614 Views
9 REPLIES 9

Raju Koyagura
Tera Guru

‎10-12-2017 07:35 AM

Did you try with "public" role.



Below link may help you to understand: http://wiki.servicenow.com/index.php?title=Legacy:Making_a_Survey_Public#Configuring_the_Survey_to_A...


0 Helpfuls

carlosj
ServiceNow Employee
ServiceNow Employee
In response to Raju Koyagura

‎10-12-2017 10:47 AM

Don't use the public role.   There is an explicit roles plugin that contains the "snc_internal" role which is better equipped to handle providing access to internal authorized users.   Additionally the public role may provide unintended access as it is basically providing wide open access to any user on the instance.


0 Helpfuls

Chuck Tomasi
Tera Patron

‎10-12-2017 07:35 AM

By default, a scoped application creates a role for you e.g. x_scope.user. If you use the "Create new application" from Studio, it will also apply read, write, create, and delete roles on the table you create. This may not be exactly what you need, but it is a nice starting point.



For the application menu, the same role gets applied to the menu and module. So to answer your question, by default x_scope.user is required.



That doesn't mean you have to stick with this - and I recommend you tailor it to your needs. I often create a .user and a .admin role (sometimes more) to meet the persona requirements of my application.


0 Helpfuls

Marques2
Tera Expert
In response to Chuck Tomasi

‎07-12-2018 02:05 PM

@Chuck Tomasi,

We created a scoped application for a security team and we've run into some troubles with managing our scoped application admin access. The data within the security application is 'confidential', and therefore we enabled Application Administration for the application since Global System Admins should not have access to the data.

*Side note*: Although we've enabled Application Administration in PROD, within our lower environments, SN administrators are still expected to be able to develop/configure the application, causing a cloning nightmare (maybe you have insight on that :))

My problem is more so around controlling admin access to the application. I gave the scoped application admin role to a particular ServiceNow group who will fulfill tasks in the app. Conceptually, the thought was that anyone who is added to the group gets the admin role. However, as I'm sure you're aware, only application administrators can grant the admin role to others and therefore, our LDAP integration which adds users to groups does not work for this particular group, because when added, the admin role is inherited.

For all users, the scoped application has ACLs that allow read access to records you've opened, but nothing else. So the admins of this app are the users who can see everything, report on everything, etc. The admins are standard ITIL users, with the exception of admin access for this application. They don't have access to the 'roles' module and it appears they don't have the ability to add users to the admin role, meaning no one can grant the admin role in production since global systems admins can't even do this in PROD.

Thank you in advance for reading and I hope you have some insight here!

Best,
-Marques

0 Helpfuls