Azure pipeline extension service account not able to see change templates unless given Admin role

YCC · ‎09-25-2024

Hi Community,

I have a question regarding the Azure Pipeline Extension. The service account is not able to see the standard change templates in ADO unless it is given the Admin Role

I have tried to give the service account other roles in accordance with these reference documents. They have all been unsuccessful.

https://docs.servicenow.com/bundle/xanadu-it-service-management/page/product/change-management/task/...

https://docs.servicenow.com/bundle/xanadu-application-development/page/build/app-engine-studio/task/...

https://docs.servicenow.com/bundle/xanadu-it-service-management/page/product/change-management/task/...

Any helpful hints/tips/tricks/comments would be greatly appreciated.

Thank you

ersureshbe · ‎10-05-2024

Hi,

I have encountered a similar issue during the implementation process on my side. It is essential to have the Project Admin role initially; however, it should not be utilized for an extended period. Initially, this role is necessary, but subsequently, it is advisable to reduce the privileges and request access to a sub-admin role or an equivalent position.

If there are any objections to sharing the 'Project Admin' role, it is recommended to create a ticket in the system - Hi Ticket. Collaborate with the ServiceNow team to facilitate communication with the DevOps Tool team in order to obtain the required access.

Regards,
Suresh.

YCC · ‎10-06-2024

Found the solution:

1. The service account must have one of these roles (not all):

* itil (with admin overrides)
* sn_devops.integration
* sn_devops.app_owner
* sn_devops.tool_owner
* sn_change_write

Note: For many admins they can stop at step one. For myself, the service account had sn_change_write but still did not work as documented

2. Check which role is used to read/write to access table sys_template

For me there was a custom ACL that was blocking