Restrict admins from adding roles

Brian S5 · ‎01-29-2018

Is there a way role assignment can be restricted to one particular Admin instead of having a group of admin users spread across the globe being able to add ITIL roles without verifying they have purchased those licenses ?

Goran WitchDoc · ‎01-29-2018

Basically, you shouldn't need to manually add roles, like Itil etc.

How about administration the roles with other tools. Either through group membership and e.g. AD sync. Meaning you add a user to ad-group, that group syncs to servicenow and is populated and roles are assigned to the groups as best practice.

Or perhaps have a catalog item for this, and put in an approval process if needed. Then when approved the workflow could put the user in the group. Manually administration of roles is something you really should try to avoid.

View solution in original post

Goran WitchDoc · ‎01-29-2018

Basically, you shouldn't need to manually add roles, like Itil etc.

How about administration the roles with other tools. Either through group membership and e.g. AD sync. Meaning you add a user to ad-group, that group syncs to servicenow and is populated and roles are assigned to the groups as best practice.

Or perhaps have a catalog item for this, and put in an approval process if needed. Then when approved the workflow could put the user in the group. Manually administration of roles is something you really should try to avoid.

Brian S5 · ‎01-29-2018

Both of your solutions sound like a much better approach as well as the other solutions that recommend it shouldn't be the job of SN to restrict roles. Im interested in the AD groups populating SN role membership. Im going to do some research into this one and whats needed. Ill mark this as correct, thanks again everyone for all the feedback.

Sam Ogden · ‎12-18-2018

Hi bshaw,

Just wondering what solution you opted for in the end for this.

We are looking to create a custom application that will hold some sensitive information. We know we can create a custom role and then have read ACLs on the fields with the sensitive information, but we then have the challenge on who has permission to grant this custom role.

The information should only be seen be selected users (our normal SN system admins would not be able to see this data), therefore ideally we only want users with the custom role to be able to assign this role to other users - is this possible?

We would make sure the ACLs have 'admin override' marked false, but we would also want admins to then not have the ability to alter this - again is this possible?

Also there is the issue of admins having the ability to impersonate users with these roles - is it possible to restrict this also?

I know we could potentially have notifications setup so if the admin override was changed, or one of the users with the role was impersonated then a notification sent to the relevant people to investigate, but ideally we would want only the authorised people to be able to view the information, with no 'back door' way for someone to access it.

Goran - would also be handy to have your thoughts around this?

Thanks

Sam

Brian S5 · ‎12-18-2018

Good Morning Sam,

I opted for a simple solution. I just created a notification that fires whenever someone is given a role. The notification tells me who created it, what role was assigned, and who it was assigned to. I then let all other admins know that those who add/remove, will be held responsible for who and what they assign. This managed to stop all accidental assignments.

I've also put restrictions in place in our production instance, that restrict admins from being able to impersonate HR accounts, so restricting impersonations is possible.