Removing Admins in Scoped Application Administration

Bradford Shelle · ‎11-18-2017

I'm building a scoped app with Application Administration enabled. Created a scoped application admin role, and delegated it to a non-admin user in the system. Now I'm trying to use the "Remove app administration from admins" UI Action to take away the scoped app admin role from all of the regular admins, but I keep on getting an error from the system saying that doing so would lock everyone out of the scoped application. I'm a little hazy on the user/role requirements for a scoped app where no regular admins can access it. Can anyone explain it to me in layman's terms? I read through the Enable application administration article in the docs site, but it still isn't completely clear to me. Thank you!

Bradford Shelle · ‎11-20-2017

One instance is on Jakarta Patch 2, another on Jakarta Patch 3 (I've tried it on both).

Seems like a silly question, but scoped apps don't require having at least one regular ServiceNow admin to be included in managing the scoped app right? A way I can work around it which seems a little funny is by manually granting the User Role to an admin, using the UI Action to remove the role from all other admins, then manually removing the scoped app User Role from the final admin. Even that still seems to behave strangely since I have access to the Manage Developers UI action even though I'm in the Global scope.

Pradeep Sharma · ‎11-22-2017

Hello Brad,

I can look into this further. Follow me back on the community so that I can PM you.

Andrey K1 · ‎07-12-2018

I have same issue in my dev instance on Kingston release.

there is my investigation:

1) UI Action "Remove app administration from admins" use a ScriptInclude ScopedAdministration, function removeScopeAdminRolesFromAdminContains

2) that function remove some record from table sys_user_role_contains

3) a BR (before delete) on table sys_user_role_contains with name "Validate Role Contains" that prevent to remove records if it find that no users can then be an application admin. but wait, we definitely have users with that role! go further

4) logic is simple: find all users with 'admin' role, then find all users with 'x_app.admin' role, find users from second list, that is not in first list (there is only one user in filtered list - which i set an x_app.admin role manually). so far so good.

5) next step is to check that founded users is active, have a password and other stuff. here is an encoded query for sys_user table:

"active=true^user_password!=NULL^locked_out=false^web_service_access_only=false^internal_integration_user=false^sys_idINusersysid"

and SURPRISE - no users found. WHAT!!??

6) So, obvoiusly this query is wrong, because user is really there, it is not locked out, have a password, checkboxes for 'web service' and 'integration only' is not set. but query returns zero results. i started to exclude conditions one by one and finally found the issue: internal_integration_user field is not false. moreover - it is not true! for some reason this field is NULL (dictionary says that default value is false, but it is really NULL in my case).

7) i set this field to true, save, set to false, save again, and voila - query work as expected, and BR will not prevent to delete role record, and ui action 'remove app admin from admins' work!