Restrict admins from adding roles

Go to solution
Brian S5
Kilo Sage

‎01-29-2018 11:03 AM

Is there a way role assignment can be restricted to one particular Admin instead of having a group of admin users spread across the globe being able to add ITIL roles without verifying they have purchased those licenses ?

0 Helpfuls
  • 2,171 Views
1 ACCEPTED SOLUTION

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee
In response to Brian S5

‎01-29-2018 01:12 PM

Basically, you shouldn't need to manually add roles, like Itil etc.



How about administration the roles with other tools. Either through group membership and e.g. AD sync. Meaning you add a user to ad-group, that group syncs to servicenow and is populated and roles are assigned to the groups as best practice.



Or perhaps have a catalog item for this, and put in an approval process if needed. Then when approved the workflow could put the user in the group. Manually administration of roles is something you really should try to avoid.


View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee

‎01-29-2018 11:08 AM

Hi Brian,



This a bit touching the area of "don't try to solve people problem with product". I would rather see this being solved outside of ServiceNow. But if it isn't possible, I would create another role like "allowed to add roles" and then give that role to a those who are allowed to do it, then you will need to make a ACL restricting that those the check for you before inserting a new role.


0 Helpfuls

Go to solution
Brian S5
Kilo Sage
In response to Goran WitchDoc

‎01-29-2018 11:28 AM

yeah its a touchy subject here, which is why i wanted to see if it could be done first before taking another step forward. The problem is that only 1 person is keeping track globally and when others add roles without verifying it has been indeed purchased, creates a mess of trying to stay compliant.



Appreciate the advice, Im already making a list of the "why we shouldnt do this" in SN and do it on a more business based process. Thinking about using the service catalog to create a "If you need a role" request with a workflow, and having only one person in charge of assigning in SN, but wanted to know if role assignment could be delegated to just one person before i did this. Thanks for the quick response.


0 Helpfuls

Go to solution
Allen Andreas
Administrator
Administrator
In response to Brian S5

‎01-29-2018 11:50 AM

Hi Brian,



Yea I agree with Goran, definitely a rough edge there.



The only other thing beyond what he suggested, that I can think of, would be to see if you can't drop down those admins to ITIL, but maybe up some permissions for ITIL?



Probably messy either way, but that could help get the admin back to 'true' sys admin type status.



Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Go to solution
adamjgreenberg
ServiceNow Employee
ServiceNow Employee
In response to Brian S5

‎01-29-2018 11:51 AM

Goran is on the money here. You can make different levels of admin (JR v SR) and restrict certain items to the SR Admin only.


0 Helpfuls