Email notification on local admin login

Go to solution
ServiceNow Use6
Tera Guru

‎05-03-2022 12:37 AM

Hi,

As a System Administrator, I need an email notification set up to send an alert when a local admin login occurs in the production environment to ensure that this account is not used unless absolutely necessary for security purposes. How can I achieve this? Kindly help.

Regards

Suman P.

Labels:
0 Helpfuls
  • 2,261 Views
1 ACCEPTED SOLUTION

Go to solution
Michael de Boer
Giga Guru
In response to ServiceNow Use6

‎05-03-2022 07:18 AM

It's a user option.
Users with the admin role can enable this option in production for their own account to receive the notification.

Regards,

Michael

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

View solution in original post

8 REPLIES 8

Go to solution
ServiceNow Use6
Tera Guru
In response to Michael de Boer

‎05-03-2022 01:20 AM

Hi @Michael de Boer ,

Thank you so much. Here, the question is about production environment. How can I use it for production environment.

Regards

Suman P.

0 Helpfuls

Go to solution
Michael de Boer
Giga Guru
In response to ServiceNow Use6

‎05-03-2022 07:18 AM

It's a user option.
Users with the admin role can enable this option in production for their own account to receive the notification.

Regards,

Michael

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

Go to solution
now developer
Tera Contributor
In response to Michael de Boer

‎06-17-2024 04:18 AM

Hello Mike,

 

I am unable to see these notifications on Vancouver. Can you please help me navigate these notifications.

 

Thanks

0 Helpfuls

Go to solution
ankitbeura1
Kilo Contributor

4 weeks ago

Hi ServiceNow Enthusiast,

I’m not sure if this helps directly, but I’ve found a practical solution to monitor break-glass access in your production instance:

 

Step 1: Observe the sys_user_login_history table in your production instance. This table logs all user login activity.

 

ankitbeura1_1-1760639435203.png

 

Step 2: Look for the field called Privileged User. This field is automatically set to true if the user has any of the following roles:

  • admin
  • security_admin
  • itil_admin

These roles are considered privileged and may indicate break-glass access when used outside standard authentication methods.

 

Step 3: Set up a notification that triggers when a login occurs with Privileged User = true.

 

ankitbeura1_2-1760639542824.png

 

 

ankitbeura1_3-1760639585217.png

 

This will help your security team investigate and confirm whether the access was authorized and aligned with your break-glass policy.

 

Regards,

Ankit

 

 

 

0 Helpfuls