Restricting application access for admin users

Siri8
Kilo Contributor

‎09-24-2019 07:06 AM

Hi ,

We are trying to implement following condition in our instance.

We have application XYZ which is accessible for Certain group of users in client organization. We have created assignment groups and have provided appropriate roles to them. This is working fine.

Right now we have requirement that this application should not be accessible by some members with Admin role. (Due to data classification

We have 3 Admins in System out of which only one should be able to access this application (XYZ). Other Admins should not be able to access this application (XYZ). (They should not have read or Write access).

I have tried with some solutions mentioned in Community but it's not working.

Labels:
0 Helpfuls
  • 2,096 Views
2 REPLIES 2

Michael Ritchie
ServiceNow Employee
ServiceNow Employee

‎09-24-2019 07:12 AM

Several things that you will need to setup:

  • When creating a new app a user role is automatically created, you will need to create an additional admin role and associate all the advanced capabilities like delete ACLs, etc to this admin role versus the user role.
  • In ACLs there is an "admin overrides" attribute.  This will need to be set to false for all ACLs in your custom application.  This will ensure that normal admin's don't override this ACL and they gain CRUD (create, read, update/write, and delete) access
  • Make sure the navigation menu items are associated to your user/admin role so they don't see it in the application navigator
  • Admin's obviously have to elevate their privileges to security_admin to modify ACLs, make sure you log when users do that so you have traceability
  • Through process I would advise that admins be general users in your production instance and create a request process to gain admin role/activate their admin user only when needed

Matt Taylor - G
Giga Guru

‎09-24-2019 07:15 AM

If the admin role you are talking about is the default system administrator role in ServiceNow, then that role is often unstoppable as it automatically acquires the rights it needs to access anything in the instance or the user can assign themselves the roles they need. If you need to restrict access to an app, you might be better off assigning more specific roles to the two users you need to restrict such that they effectively have as many of the high-level roles as they need in your instance except the one that would allow them to access the XYZ application. To do this, create a group, add roles to the group and add the two users to that group.

0 Helpfuls