Trying to use Out Of Box Credential_admin but it doesn't seem to provide the needed access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-18-2017 04:11 AM
We want to grant someone access to create and update credentials, but really none of the other capabilities. May in fact apply a script to the ACL later, but that is something different altogether. Basically I want user to have access to the Credentials module of the Discovery Applications Menu and the ability to update the credentials table.
To test behavior, I create a test user and assign him the credential_admin role (I best practices about roles and groups but bear with me). The out of the box definitions are:
System Definitions->Applications Menus->Discovery, the roles are restricted to:
discovery_admin, pd_admin, pd_mid, pd_user, credential_admin
There are no roles for the Module Credential.
ACLs for all of the discovery_credentials
write: credential_admin, discovery_admin
read: credential_admin, discovery_admin, mid_server
create: credential_admin, discovery_admin
delete: credential_admin, discovery_admin
and then for discovery_credentials.*: credential_admin, discovery_admin, mid_server
They all have admin override enabled, and are all active.
When the testuser logs in they see the Discovery Application Menu and credentials module and can navigate there. But when the test user tries to create or update a credential all the fields are non-writable.
Tried giving the user discovery_admin as well. Same problem
Am I missing something here?
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-13-2018 07:36 AM
Hi Duane,
OOB I believe it's only admin who has right to update/create credentials. I haven't dig into the ACLs for this but I'm almost sure it will require some customization in the ACLs so that it works as per how you're intending it.
Your question prompted me to look for the documentation related to this topic and it does appear that the required role is admin.
Thanks,
Berny
source: https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/product/discovery/task/t_CreateCredential.html
the following text is from the above link:
Discovery, Service Mapping, Cloud Management, and Orchestration require credentials to access hardware and software on your network.
Before you begin
Procedure
- Navigate to one of these modules:
- Discovery > Credentials
- Service Mapping > Credentials
- Orchestration > Credentials
- Click New.
- On the Credentials page, click a link for the credential type and complete the form.
- Click Submit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-13-2018 07:41 AM
I did acls and roles and made it work. We can't give admin to people who simply own a credential and can not share the actual; password with me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-13-2018 03:46 PM
Yeap. I totally understand. What we do with most customers is that they have a process where the person who owns the credential enters it into ServiceNow during a short 1:1 meeting with one of the ServiceNow admins.
Thanks,
Berny
