When using elevated privilege on the admin role, why is it not supported and what kind of unexpected behavior could it cause?

Donal · ‎04-22-2022

Hi Folks,

My team would like to mark the admin role as Elevated Privilege in all instances especially DEV. This would force admin users to elevate when they start a new session and require admin functionality.

https://docs.servicenow.com/bundle/sandiego-platform-administration/page/administer/security/concept/c_ElevatedPrivilege.html

The above document states: Warning: The use of elevated privilege on the admin role is not supported and may cause unexpected behavior.

Does anyone know why this is not supported?
Does anyone know what kind of unexpected behaviour it may cause?

Thanks so much

Donal

Community Alums · ‎04-22-2022

Hi @Donal ,

security_admin role is a Privileged role which is assigned to default System Administrator (admin) user.

However, you use this role you must elevate the role to security_admin by doing below each time you want to use this role:


Next Experience UI	In the banner frame, click your image or initials. Select Elevate Roles.
UI16	In the banner frame, click your user name. Select Elevate Roles.

A dialog box appears.

then , click OK.

You can also refer to this KB:https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0725837

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

Donal · ‎04-25-2022

Hi Sandeep,

Your response was not helpful I'm afraid. There are two questions in my original post that were not addressed:

Does anyone know why this is not supported?

Does anyone know what kind of unexpected behaviour it may cause?

Regards,

Donal

Donal · ‎04-27-2022

For anyone who would like an explanation on why using the elevated privilege on the admin role is risky, here's a response from a Technical Support Engineer that I received today:

Can you explain why this is not supported?

The reason for this is there are processes such as scheduled jobs that are ran as System Administrator and that requires admin role functions specifically. If the admin role is marked as elevated privilege, then these processes cannot proceed as the system does not automatically elevate to it.
There are also a lot of checks in the backend code that checks for admin permission. If this is marked as elevated privilege, these checks would fail as the system will not bypass the manual elevated privilege. This will be going against the design and could be a loophole.

Can you also explain what kind of unexpected behaviour it may cause?

An example would be a scheduled jobs that were setup to Run As an admin. If admin role is marked elevated privilege, then the scheduled job will fail to run as it doesn't have the proper permission to do what it needs to as it will not automatically elevate the privilege.

RKH · ‎01-15-2024

Hi Donal,

Did you find any alternate solution to leverage the "elevated privilege" on admin role. We have same requirement and reading this understood there could be more impact for OOB jobs and backend functions. How did you resolve or implement at your end?